Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
ShadyPanda APT Group Infects 4.3 Million Chrome and Edge Users in Seven-Year Campaign
Advertisements

A long-running cyber-espionage campaign conducted by the Chinese advanced persistent threat (APT) group known as ShadyPanda successfully infected 4.3 million users of Google Chrome and Microsoft Edge browsers. The campaign, which spanned at least seven years, was uncovered and detailed in a report by cybersecurity firm Guardio Labs.

The threat actor utilized malicious browser extensions that were available on the official Chrome Web Store and Microsoft Edge Add-ons marketplace. These extensions managed to pass the initial security checks of both platforms, allowing for widespread distribution.

Campaign Mechanics and Malicious Activity

The campaign, dubbed “Dormant Colors” by researchers, involved extensions with generic names such as “Action Colors,” “Power Colors,” “Super Colors,” and “Mix Colors.” Initially, these add-ons functioned as simple color customization tools. However, after installation, they activated malicious code delivered from a Command-and-Control (C2) server.

Once activated, the extensions engaged in multiple malicious activities. The primary functions included affiliate link hijacking, where the extension would alter website links to redirect traffic through the attacker’s affiliate accounts for financial gain, and credential theft from various websites visited by the infected user.

Attribution and Takedown

Guardio Labs attributed the campaign to the ShadyPanda APT group, which is also tracked under the name Bronze Atlas. This attribution was made based on similarities in the techniques and infrastructure used in this campaign compared to previous operations linked to the group. Past activities of ShadyPanda include campaigns targeting Tibetan activists.

Following the discovery and reporting of the malicious extensions, they were removed from both the Google Chrome Web Store and the Microsoft Edge Add-ons store. This action has stopped further new installations of the malicious add-ons from these official sources.

Source: https://www.infosecurity-magazine.com/news/shadypanda-infects-43m-chrome-edge/