Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts.
“The extensions work together to steal authentication tokens, block incident response capabilities, and enable full account takeover through session hijacking,” Socket Security researcher Kush Pandya said in a Thursday report.
The names of the extensions are listed below –
- DataByCloud Access (ID: Oldhjammhkghhahdcifmmlefibciph, Published: DataByCloud1104) – 251 installs
- Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf, published: databycloud1104) – 101 installs
- DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam, published: databycloud1104) – 1,000 Installs
- DataByCloud 2 (ID: makdmamackifdldldlelolllkkjnoiedg, published: databycloud1104) – 1,000 installs
- Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij, Published: Software Access) – 27 installs
Except for Software Access, all of them have been removed from the Chrome Web Store at the time of writing. That said, they are still available on third-party software download sites like Softonic. The add-on is advertised as a productivity tool that provides access to premium tools for a variety of platforms, including Workday, NetSuite, and other platforms. Two extensions, DataByCloud 1 and DataByCloud 2, were first published on August 18, 2021.
The campaign, despite using two different publishers, is considered a coordinated operation based on similar functionality and infrastructure patterns. This specifically includes exfiltrating cookies to a remote server under the attacker’s control, manipulating the Document Object Model (DOM) tree to block security administration pages, and facilitating session hijacking through cookie injection.
Once installed, DataByCloud Access requests permissions for cookies, management, scripting, storage, and declarativeNetRequests in the Workday, NetSuite, and SuccessFactors domains. It also collects authentication cookies for a specified domain and stores them in “api.databycloud[.]com” domain every 60 seconds.
“The tool Access 11 (v1.4) blocks access to 44 administrative pages within Workday by deleting page content and redirecting to malformed URLs,” Pandya said. “This extension blocks authentication management, security proxy configuration, IP range management, and session control interfaces.”
This is achieved by DOM manipulation, with extensions maintaining a list of page titles that is constantly monitored. Data by Cloud 2 expands the blocking feature to 56 pages, covering important functions such as password change, account deactivation, 2FA device management, and security audit log access. It is designed to target both the production environment and the Workdays sandbox test environment on “workdaysuv”[.]com.”
In contrast, Data by Cloud 1 replicates the cookie-stealing functionality from DatabyCloud Access, as well as includes features to prevent code inspection using web browser developer tools using the open-source DisableDevTools library. Both extensions encrypt their command-and-control (C2) traffic.
The most sophisticated extension of this group is Software Access, which combines cookie theft with the ability to retrieve stolen cookies from “api.software-access”.[.]com” and directly inject them into the browser to facilitate session hijacking. Furthermore, it is equipped with password input field protection to prevent users from inspecting credential inputs.
Socket said, “The function parses the cookies from the server payload, removes existing cookies for the target domain, then iterates through the provided cookie array and injects each one using chrome.cookies.set().” “This establishes the victim’s authentication state directly into the threat actor’s browser session.”
One notable aspect that ties all five extensions together is that they offer a similar list that includes 23 security-related Chrome extensions, such as EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools, and SessionBox, which are designed to monitor and flag their presence for threat actors.
This is likely an attempt to assess whether the web browser contains any tools that could potentially interfere with their cookie harvesting purposes or reveal the extension’s behavior, Sockett said. Furthermore, the presence of a similar extension ID list in all five extensions raises two possibilities: either it is the work of the same threat actor that published them under different publishers or a common toolkit.
Chrome users who have installed any of the above add-ons are advised to remove them from their browser, reset the password and review any signs of unauthorized access from the unrecognized IP address or device.
“The combination of persistent credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels,” Sockett said.
