Malware toolkit guarantees store approval for Chrome extensions

By
Follow google news

"Stanley" malwarekit-as-a-service costs up to US$6000.

A suspected Russian malware-as-a-service operation has been selling a turnkey website-spoofing toolkit that promised to bypass Google's Chrome Web Store security review, charging up to US$6000, security vendor Varonis said.

Malware toolkit guarantees store approval for Chrome extensions

Named Stanley after its seller's forum alias, the toolkit provides everything needed to run phishing operations through malicious browser extensions that appear legitimate to both Google Store code reviewers and victims.

The top-tier variant of Stanley is guaranteed by the operators to clear Chrome Web Store publication of malicious browser extensions.

One such Chrome extension, Notely, masquerading as a note-taking and a bookmarking tool was published as a proof-of-concept, Varonis said; it has now been removed from the Chrome Web Store.

A demo video shows the operation targeting Binance and Coinbase.

Technically, malicious extensions created with Stanely use iFrame overlays with the attacker's phishing page.

This keeps the link to the legitimate site intact in the browser's navigation bar, while serving up phishing content.

The interface allows attackers to configure URL hijacking rules specific to individual users and activate them on demand.

It also provides customisation options and a command-and-control panel with victim data.

Beyond passive hijacking, operators can push Chrome notifications to lure users toward targeted phishing pages.

Varonis said that the code Stanley produces "has some rough edges" with comments in Russian, inconsistent error handling and empty catch blocks and added that the high sales price was justified by the extensions passing the Chrome Web Store code review.

Stanley was marketed in Russian-language cybercrime forums, the Varonis security researchers said.

Varonis said the Stanley operators have gone dark since the publicity around the MaaS kit, but added that this no guarantee that it won't reappear under a different name or remain available for sale privately.

The security vendor said the ability to pass Chrome Web Store reviews means the standard advice of only installing from official sources, and looking for "verified" badges, may be insufficient.

Enterprise administrators should consider blocking all Chrome and Microsoft Edge extensions, apart from those explicitly allowed as defence.

Consumers, meanwhile, are advised to periodically audit installed brownser extensions, and remove those not actively used.

People should also be suspicious of extensions that require access to all websites and browsing history, Varonis said.

Browser extensions have lately been subverted by threat actors for malicious purposes.

Earlier this month, security vendor Huntress analysed a malicious browser extension that impersonated the uBlock Origin Lite ad blocker.

Called "CrashFix" by Huntress, the extension intentionally crashes web browsers and tricks users into running malicious commands, including installing a remote access tool (RAT) for domain-joined computers.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
chromeextensionmaassecurityspoofing

Sponsored Whitepapers

Fintech compliance made fast and secure
Fintech compliance made fast and secure
How to evaluate SIEM solutions Safeguarding your future Get a demo Download guide
How to evaluate SIEM solutions Safeguarding your future Get a demo Download guide
2025 Security operations insights: Three-quarters of security leaders need something new in SIEM
2025 Security operations insights: Three-quarters of security leaders need something new in SIEM
Sumo Logic named in the 2025 Gartner Critical Capabilities for Security Information and Event Management (SIEM)
Sumo Logic named in the 2025 Gartner Critical Capabilities for Security Information and Event Management (SIEM)
The cloud tipping point
The cloud tipping point

Events

Most Read Articles

Microsoft releases fix for flawed January security update

Microsoft releases fix for flawed January security update
WhatsApp unveils high-security mode

WhatsApp unveils high-security mode
Microsoft patches single-click Copilot data stealing attack

Microsoft patches single-click Copilot data stealing attack
Fix out for remotely exploited Cisco enterprise UC suite bug

Fix out for remotely exploited Cisco enterprise UC suite bug
techpartner.news logo
Sydney-based AI-cloud waste startup raises $3m
Sydney-based AI-cloud waste startup raises $3m
Brennan uses NiCE to modernise its contact centre
Brennan uses NiCE to modernise its contact centre
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Interactive introduces private cloud platform
Interactive introduces private cloud platform
Digital61 expands cybersecurity portfolio
Digital61 expands cybersecurity portfolio

Log In

  |  Forgot your password?