Malicious Extensions: Uncovering Add-ons that Manipulate Search Behavior

An examination of how malicious extensions infiltrate organizations, bypassing network and endpoint security measures. The analysis reveals strategies used by attackers to capture and monitor user inputs, enabling adversarial groups to harbor sensitive data of users and generate illicit ad revenue.

Key Takeaways

• Keep Aware analyzes browser extensions to understand methods of infection and the behavior of malicious extensions.
• Attackers continue to use subtle, repeatable social engineering techniques to establish footholds in browsers.
• Keep Aware’s Threat Research team highlights five specific malicious browser extensions of a campaign that has captured millions of installs in the Chrome and Edge extension stores.
• Malicious browser extensions are an extensive threat — and will continue to be.
• IT and security teams need to implement management strategies for browser extensions.

Introduction

Keep Aware’s Threat Research team is looking closely into malicious extensions and how high-risk and extremely permissive extensions take hold within organizations and an employee’s workspace. While browsers continue to address user privacy concerns and attempt to prevent malicious extensions from ending up on user devices, it is far too easy for attackers to evade existing measures against browser extensions.

We have analyzed a handful of strategies that attackers use to establish a foothold in an organization and remain under the radar from existing security technology stacks. Specifically, this analysis unpacks the methods and excessive permissions an attacker uses to gain illicit ad revenue and to capture, monitor, and spy on user inputs across websites and user search activity. We determined with confidence that certain groups use this technique and repeatable campaigns to capture user search activity and generate illegitimate ad revenue.

DocToPDF, Your Docs To PDF, YourPDFBuddy… the List Goes On

We have observed patterns of malicious browser extensions that are added to everyday work browsers across client environments. This analysis focuses on extensions that inconspicuously monitor and inject results into user search activity and perform illicit ad revenue activity. These browser extensions continue to be a subtle and hidden way for attackers to gain excessive control within an organization. Many of these extensions are linked to wider campaigns with coordinated efforts across the last 3 years. Yet, Chrome, Edge, and Firefox browsers continue to silently run these types of extensions. We analyze the behaviors of these extensions and offer explanations as to how they are able to gain initial access to a device. The extensions we cover in this analysis include:

• Your Docs To PDF 
• DoctoPDF
• MyPDFMaker ads
• YourPDFBuddy ads
• QuickMail

Before delving into the details of these specific extensions, let’s first discuss the common ways malicious browser extensions are installed.

Social Engineering: Two Subtle But Effective Infection Strategies

Keep Aware first observed these types of extensions while hunting for suspicious extension manifest characteristics. The names of these extensions are indicative of their ability to ‘fly under the radar’, though the initial infection vectors are much more subtle. These extensions claim to manage simple and widely-searched functions such as ad-blocking, personal security, and in this specific campaign, document helpers.

We have observed two similar methods that malicious extensions commonly get added to a browser and each utilizes social engineering. This is a form of using human psychology to manipulate the user into performing a specific action (The specific action, in this case, is installing a malicious extension).

• Legitimate Site Compromise: An attacker has compromised and modified a legitimate site and added code that prompts a user to install a browser extension.
• Search Engine Ads: Appearing as a promoted ad in search engine results is another popular strategy for attackers to eventually get users to install browser extensions.

Because these social engineering strategies are subtle and can be incredibly effective, in the next section we walk through how an attacker uses these two strategies to dupe a user into installing a malicious extension.

Caution: Ads and Legitimate Sites in Search Results May Be Malicious

Promoted ads and compromised but legitimate search results are often the initial infection strategy across several browser-based infections. This initial infection chain consists of 3 major parts: compromised search results, redirected installation, and initial browser configuration changes. Figure 1 shows the chain of events leading to infection and the initial foothold.

Figure 1. Browser Extension Infection Chain
Using Search Engine Results as an Initial Infection Strategy

The attack scenario is as follows:

1. A user uses a search engine (e.g., Google or Bing) to search for help converting a PDF, for example.
2. The search engine provides a list of results: first, a list of promoted ads and then a list of non-ad results.
3. The user clicks on a result — either a promoted ad to an attacker’s website or a link to a legitimate but compromised site.
4. The user is then taken to the website, where the attacker injects a prompt, tricking the user to think they must download an extension before continuing to the website they are trying to navigate to. Below is an example of this type of prompt. Image 1 shows this behavior below:
   
   
5. The user clicks to install the browser extension and is then redirected to the website they were trying to navigate to.
   

Throughout our research, we have observed that, when provided a prompt like the one above, many users will, unfortunately, click the first button they see that will allow them to move past this prompt — and thus, they install unwanted or malicious browser extensions, often without realizing the potential risks.

Now that we understand common initial infection strategies, let’s delve into a handful of malicious extensions we have discovered in our environment.

Evidence of Five Malicious Extensions

During our research into browser extensions with malicious manifest characteristics, we identified five malicious browser extensions. These extensions have the following characteristics:

• They immediately receive excessive permissions, such as searchProvider, tabs, webRequest, and webRequestBlocking, all of which include the ability to inspect and alter user search activity.
• After installation, the extension either changes the default search provider of the browser or the new tab page, which is often used for the same purpose.
• While it is already highly risky to have the above type of behavior in an unauthorized application, these extensions do not stop there. They include source code that further requests permissions from the user, such as management of other extensions, cross-site cookie management, and the ability to view browsing history.
• They were downloaded from the Chrome Web Store but are no longer available there.
• They communicate with domains that are either parked, expired, and/or have a reputation for browser-hijacking activity.
• Some rely on Javascript libraries that fingerprint the user and their browser.
• Some are written in a sophisticated, repeatable manner such that the attacker continues to post multiple versions and evade the Chrome and Edge extension store review processes (and even track the success of particular IDs).

Listed below is each extension’s ID, name, description (verbatim from its manifest file), permissions it requests, and some of the initial reasons — or, indicators — our Threat Research team has deemed these extensions malicious.

Extension ID	Extension Name	Extension’s Description	Extension’s Permissions	Some Indicators That This Extension Is Malicious
nofdiclilfkicekdajkiaieafeciemlh	Your Docs To PDF	This extension Allows quick conversion for any file to PDF from the task bar icon	contextMenus, cookies, searchProvider, tabs, webRequest, webRequestBlocking	Requests more permissions than it needs. Has the Chrome Web Store as its update URL; however, it’s no longer available on the Chrome Web Store. Is associated with a domain that has a reputation for communicating with browser hijacking extensions (apiprxy[.]com). Is associated with other domains that are expired(pdfsrch[.]com, yourdocstopdf[.]com).
enfbmnncnngbaecdlhpocnpljepkiamg	DoctoPDF	This extension Allows quick conversion for any file to PDF from the task bar icon	contextMenus, cookies, management, searchProvider, tabs, webRequest, webRequestBlocking	Requests more permissions than it needs. Has the Chrome Web Store as its update URL; however, it’s no longer available on the Chrome Web Store. Is associated with a domain that has a reputation for communicating with browser hijacking extensions (apiprxy[.]com). Is associated with other domains that are expired (pdfsrch[.]com, yourdocstopdf[.]com).
apmgdjoiehbkhjeoniidijnbnlfpckli	QuickMail	Quickmail allows you to quickly login into you favorite email account	contextMenus, cookies, searchProvider, tabs, webRequest, webRequestBlocking	Requests more permissions than it needs. Has the Chrome Web Store as its update URL; however, it’s no longer available on the Chrome Web Store. Is associated with a domain that has a reputation for malicious search engines and for communicating with browser hijacking extensions (srchbar[.]com). Is associated with a parked domain (goquickmails[.]com).
hjjeibdncmbpjkopapkkdnibcnomohic	MyPDFMaker ads	Promotions by MyPDFMaker ads	activeTab, cookies, idle, storage, tabs, webNavigation, webRequest, webRequestBlocking	Requests more permissions than it needs. Requests access to any and all http:// and https:// sites the user visits. Has the Chrome Web Store as its update URL; however, it’s no longer available on the Chrome Web Store. Is associated with a parked domain (alltexts[.].com). Its home page’s domain registration is expired (mypdfmaker[.]com).
bghlilncekcbdnpjijgmoophmglakfhh	YourPDFBuddy ads	Promotions by YourPDFBuddy ads	cookies, idle, storage, tabs, webRequest	Requests more permissions than it needs. Requests access to any and all http:// and https:// sites the user visits. Has the Chrome Web Store as its update URL; however, it’s no longer available on the Chrome Web Store. Is associated with a parked domain (alltexts[.].com). Its home page’s domain registration is expired. (yourpdfbuddy[.]com)

Even though explaining browser permissions is outside the scope of this article, the above findings underline the importance of managing browser extensions — of reviewing them and their permissions. Why does a ‘PDF converting’ extension need permission to change your browser’s search engine provider (permission: searchProvider) and to manage your other browser extensions (permission: management)? Short answer: It doesn’t. Why should your IT security teams allow browser extensions that communicate with parked or expired domains, let alone domains that are notorious for browser hijacking activity? They shouldn’t!

Though we have deemed these browser extensions as malicious, we also have evidence that suggests they are part of a campaign.

Ties to a Larger Malicious Extension Campaign

In addition to surface-level similarities to each other, these extensions appear to be related to a larger campaign of malicious extensions tied to the domain registrar named CommuniGal Communication Ltd.

The first pair of extensions (Your Docs To PDF; DoctoPDF) listed in the above table have the exact same description (including the incorrect capitalization of “Allows”) and both list the exact same three suspicious domains (apiprxy[.]com, pdfsrch[.]com, yourdocstopdf[.]com) in their manifest files. These two extensions have domains linked to a registrar, CommuniGal Communication Ltd., that has a reputation for registering domains for a slew of malicious browser extensions.

The next extension (QuickMail), upon first glance, doesn’t appear to be related to any other extension listed. However, one of the domains it communicates with (srchbar[.]com) has also been reported as a malicious domain part of the CommuniGal registrar’s malicious extension campaigns.

The last pair of extensions listed (MyPDFMaker ads; YourPDFBuddy ads) are also related to each other: they have similarly structured names, have the same structure for their descriptions (“Promotions by <extension name> ads”), and list the same suspicious domain (alltexts[.].com) in their manifest files. While we do not possess conclusive evidence linking these two browser extensions to the same malicious campaign as the other three, their shared behavior — a ‘PDF’-related extension, with a poor reputation, displaying unauthorized advertisements and requesting excessive and intrusive permissions — raises significant red flags. In the realm of IT security, it’s prudent to question the legitimacy of any extension explicitly advertising its purpose as serving ads/promotions; discerning users would be unlikely to knowingly incorporate such tools into their browsing experience.

The Massive Scale of Malicious Browser Extensions

We have discussed five malicious browser extensions identified in across our environments, but below are a couple more examples that highlight that the scale of this threat is far more expansive and pervasive.

Briefly touched upon in the previous section, a domain registrar, CommuniGal Communication Ltd., has been clearly linked to malicious browser extension campaigns, which appear to be easily repeatable because several versions of its extensions, with a similar malicious codebase, have been successfully published to the Chrome Web Store. In fact, Awake Security’s report on CommuniGal’s malicious browser extension campaign reports that, in 2020, 111 malicious browser extensions accounted for over 32 million downloads from the Chrome Web Store alone— and mentions that there were many more downloads of malicious extensions through means that bypassed the browsers’ web store. Some of these malicious extensions identified in articles by Innovate Cybersecurity and Awake Security still remain on the web store, ready to be downloaded and installed at the click of a button.

In addition to this domain registrar’s malicious behavior, a cybersecurity researcher, Wladimir Palant, recently published two research articles describing not just the malicious behaviors of many seemingly-benign extensions but highlighting just how pervasive these threats are:

• Over 2 million downloads from the Chrome Web Store for “PDF Toolbox”, an extension disguised as a legitimate extension API wrapper but with additional, non-advertised capabilities, according to Palant’s article.
• 19 other malicious Chrome extensions, each with over 2 million active users at the time Palant’s article was written (That’s a combined 38+ million infections with merely 19 extensions! And more extensions were listed in the article.)

Though this article mentions only a subset of malicious browser extensions, there are plenty more malicious extensions available in browsers’ web stores and elsewhere online — and you can expect new ones to keep coming.

Best Practice: Frequently Review Browser Extensions

Browser extensions are often left unscrutinized by IT and security teams. Ensuring users have benign and secure browser extensions is a function traditionally left for the browsers to manage; however, we have illustrated that, in our environment and in the broader browsing base, malicious extensions continue to bypass browsers’ web store checks and can remain installed on users’ browsers even after they had been removed from the browser web store. We should no longer allow browsers to be the first and last line of defense for keeping users safe from malicious browser extensions.

To provide a more robust and holistic cybersecurity posture, we recommend that IT and security teams proactively manage extensions in their organization. To search for potentially malicious browser extensions, we recommend performing a periodic review of extensions installed in your organization and investigating any that have malicious indicators, such as:

1. Manifest File Characteristics:
   1. Its update URL is not from the browser’s web store
   2. It’s no longer available on the browser’s web store
   3. It’s requesting more permissions than it likely needs
   4. Its homepage URL is no longer valid (if its homepage URL is not the browser’s web store)
   5. Its description is vague or filled with grammatical errors
2. Behavior:
   1. It communicates with sites/domains of poor reputation 
   2. It hijacks the browser (e.g., redirects traffic)
   3. It serves intrusive or unwanted ads
   4. It has any other unexpected and/or intrusive behaviors
3. Updates:
   1. It obtains its updates from a location other than the browser’s web store. (Malicious extensions could have their update URL as a site that’s not the browser’s app store; this allows the extension to update its code with code that hasn’t been approved by the browser’s app store.)
4. Poor/Non-Existent Reputation:
   1. It has poor or non-existent user reviews
   2. The extension’s author has a poor or non-existent reputation
5. How It Was Installed:
   • Its install type is “admin” (which means it was force-installed) but wasn’t installed by your company’s IT or Security team
   • It was installed because the user was prompted to by a popup/notification
   • It was installed without the user knowing about it

Conclusion

Browser extensions pose a significant and ongoing threat to cybersecurity. Through subtle and effective social engineering techniques, attackers have been infecting browsers. And, because attackers know that browser extensions are still often overlooked by IT and security teams, expect more malicious extensions to continue to appear in the browser extension landscape. We encourage IT and security teams to employ a browser extension management strategy, which should include a periodic review of installed extensions, to keep this threat at bay in your organization.

Authors:

Appendix: IOCs

Extensions

Extension ID	Extension Name
nofdiclilfkicekdajkiaieafeciemlh	Your Docs To PDF
enfbmnncnngbaecdlhpocnpljepkiamg	DoctoPDF
apmgdjoiehbkhjeoniidijnbnlfpckli	QuickMail
hjjeibdncmbpjkopapkkdnibcnomohic	MyPDFMaker ads
bghlilncekcbdnpjijgmoophmglakfhh	YourPDFBuddy ads

Domains

Domains
apiprxy[.]com
goquickmails[.]com
mypdfmaker[.]com
pdfsrch[.]com
srchbar[.]com
yourdocstopdf[.]com
yourpdfbuddy[.]com