“Dormant Colors” malvertising campaign hijacked browsers of 1M users

Malicious extensions are used to insert affiliate links and hijack searches

The extensions are meant to allow users to choose different color options while browsing the web

Researchers at Guardio^[1] have released a report detailing a malvertising campaign related to extensions with more than 1 million downloads. According to experts' findings, more than 30 of the apps were still available on Google Chrome and Edge Stores as of mid-October 2022, and the campaign has been active for quite a while now.

Extensions were meant to provide users with color customization options on various web pages, so there were plenty of people who installed them since the campaign became active. The extensions were spread via fake phishing messages and, once installed, would hijack browsers and append affiliate links to visited web pages.

Google has removed malicious apps from its stores by now, but since extensions come into users' devices without any malicious code in them, the campaign is likely to be continued by the cybercriminals behind it. Security experts have named the campaign “Dormant Colors” because of the alleged functionality some users may be interested in.

Malvertising is once again used to push malicious apps

Phishing websites are very common on the web and usually show up after clicking a link on less secure websites. The malicious campaign starts when users are redirected to one of these malicious pages that claim that users can download a file or watch a video. Other tricks can also be used, for example, people might be told that one of the extensions or programs they already have installed needs to be updated.

They are suddenly told that they need to install the extension to continue, with the prompt opening of a new browser window, showing the download page of one of the extensions on Chrome or Edge stores. These extensions are named by a simple principle, typically using the word “Colors” in conjunction with “Super,” “Change,” “Style,” and similar. Examples of used names include Background Colors, Mix Colors,^[2] Colors Mode, Style Flex, etc.

The stealthy operation

Upon completion of the installation, most users would probably not notice any significant changes to their browsing routines. What the app does in the background is, however, quite malicious. Right after this action, users are redirected to the “Thank you for installation” window, and that's precisely where the app begins its malicious routines.

Accessing this page allows the malicious app to receive instructions via a malicious script^[3] on how to hijack users' searches and which websites to insert affiliated links to. Security experts found more than 10,000 websites that are associated with the latter activities. They said the following about this process:^[1]

The first one dynamically creates elements on the page while trying desperately to obfuscate the javascript API calls. Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a ‘#’ separated list of strings and regexes and the last is a comma-separated list of 10k+ domains (!!!). To finish it up, it also assigns a new URL to the location object so you are redirected to the advertisement (https://nkingwithea[.]com/?tid=956865&subid=typage) that finalizes this flow as it is was just another advertisement popup.

When using the hijacked browser, the app would generate results from affiliated sites, which allows the monetization of sales made on gathered information and also ads shown or clicked.

Could be used for spear phishing campaigns

It is indeed surprising how these malicious extensions managed to break into major stores and spread around the world, although a little bit of creativity and bypass mechanisms help cybercriminals to reach their goals easier. When looking deeper at the code, security experts claimed that the app indeed has a lot of functions that support the functionality of changing colors on websites. However, looking deeper into it, it turned out that the campaign is quite massive and can have particularly bad results for those affected.

Security researchers at Guardio described the app as something much more than a simple search/browser hijacker, with the conclusion of the following:

It includes stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users, classifying potential targets, and being able to target specific users with many kinds of social engineering attack vectors that can quickly steal credentials and put people and even big organizations out of business!

While affiliate links are generated in the background and do not directly harm users, these functions can be used for spear phishing attacks,^[4] which can directly compromise users' personal safety and computer security. As a result, those affected could have their account credentials stolen from services like Microsoft 365, social media platforms, or even banking websites. So far, no such activity has been detected by the campaign authors, although this can be easily changed by simply altering the code that is side-loaded after installing the initial extension.