A recent discovery by cybersecurity researchers has unveiled five new malicious Google Chrome extensions posing as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors in order to compromise victim accounts.
According to a report by Socket security researcher Kush Pandya, these extensions collaborate to steal authentication tokens, impede incident response capabilities, and enable complete account takeover through session hijacking.
The names of these extensions are as follows:
- DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph, Published by: databycloud1104) – 251 Installs
- Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf, Published by: databycloud1104) – 101 Installs
- DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam, Published by: databycloud1104) – 1,000 Installs
- DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg, Published by: databycloud1104) – 1,000 Installs
- Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij, Published by: Software Access) – 27 Installs
Although most of these extensions have been removed from the Chrome Web Store, they are still accessible on third-party software download websites like Softonic. These add-ons are promoted as productivity tools offering premium features for various platforms such as Workday, NetSuite, and others. Notably, DataByCloud 1 and DataByCloud 2 were initially released on August 18, 2021.
Despite being published by different entities, the campaign is believed to be a coordinated effort due to similar functionalities and infrastructure. The operation involves extracting cookies to a remote server controlled by the attackers, manipulating the Document Object Model (DOM) tree to block security pages, and facilitating session hijacking through cookie injection.
Upon installation, DataByCloud Access requests permissions for cookies, management, scripting, storage, and declarativeNetRequest across relevant domains. It also gathers authentication cookies for a specified domain and sends them to “api.databycloud[.]com” every minute.
“Tool Access 11 (v1.4) obstructs access to 44 administrative pages in Workday by wiping page content and redirecting to malformed URLs,” Pandya elaborated. “This extension restricts authentication management, security proxy configuration, IP range management, and session control interfaces.”
Data By Cloud 2 broadens the blocking feature to 56 pages, including critical functions like password updates, account deactivation, 2FA device management, and security audit log access. It targets both production environments and Workday’s sandbox testing environment at “workdaysuv[.]com.”
On the other hand, Data By Cloud 1 mirrors the cookie-stealing capability of DataByCloud Access while integrating features to prevent code inspection using the DisableDevtool library. Both extensions encrypt their command-and-control (C2) traffic.
The most sophisticated extension, Software Access, combines cookie theft with the ability to receive stolen cookies from “api.software-access[.]com” and inject them into the browser for direct session hijacking. It also includes password input field protection to prevent users from examining credentials.
“The function retrieves cookies from the server payload, eliminates existing cookies for the target domain, and injects each one using chrome.cookies.set(),” Socket explained. “This injects the victim’s authentication status directly into the threat actor’s browser session.”
All five extensions share a common list of 23 security-related Chrome extensions like EditThisCookie and Cookie-Editor, which are designed to detect their presence and alert the threat actor. This suggests an attempt to identify any tools in the browser that could interfere with their cookie harvesting or reveal the extension’s actions.
The presence of a consistent extension ID list across all five extensions raises the possibility of either a single threat actor publishing them under different names or a shared toolkit being utilized.
Users who have installed any of these extensions are urged to uninstall them, change passwords, and monitor for unauthorized access from unfamiliar IP addresses or devices.
“The combination of continuous credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels,” Socket emphasized.
