A cyber security researcher has discovered a malicious Google Chrome extension in the wild abusing the Chrome Sync process that can help hackers steal user data.
Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses.
Bojan Zdrnja, a Croatian security researcher, said on Thursday that during a recent incident response, he discovered that a malicious Chrome extension was abusing the Chrome sync feature as a way to communicate with a remote command and control (C&C) server and as a way to exfiltrate data from infected browsers.
According to Zdrnja, the goal was to use the extension to "manipulate data in an internal web application that the victim had access to."
"While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries," Zdrnja said in the report.
"Now, malicious extensions are nothing new — there were a lot of analysis about such extensions and Google regularly removes dozens of them from Chrome Web Store, which is the place to go to in order to download extensions," the security researcher mentioned.
