The Chrome Web Store has seen a surge in downloads of a malicious version of the legitimate ChatGPT extension.

This trojanized version, which has accumulated over 9,000 downloads, masquerades as the popular “ChatGPT for Google” add-on that allows ChatGPT integration on search results. However, it contains extra code that targets Facebook session cookies in an attempt to steal Facebook accounts.

The publisher of the extension uploaded it to the Chrome Web Store on February 14, 2023, but only started promoting it using Google Search advertisements on March 14, 2023. Since then, it has had an average of a thousand installations per day.

The researcher who discovered it, Nati Tal of Guardio Labs, reports that the extension is communicating with the same infrastructure used earlier this month by a similar Chrome add-on that amassed 4,000 installations before Google removed it from the Chrome Web Store.

Hence, this new variant is considered part of the same campaign, which the operators kept as a backup on the Chrome Web Store for when the first extension would be reported and removed.

The malicious extension is promoted via advertisements in Google Search results, which are prominently featured when searching for “ChatGPT 4.”

Clicking on the sponsored search results takes users to a fake “ChatGPT for Google” landing page, and from there, to the extension’s page on Chrome’s official add-on store.

After the victim installs the extension, they get the promised functionality (ChatGPT integration on search results) since the legitimate extension’s code is still present. However, the malicious add-on also attempts to steal session cookies for Facebook accounts.

Upon the extension’s installation, malicious code uses the OnInstalled handler function to steal Facebook session cookies.

CERT-In Finds Multiple Vulnerabilities in Android, Advises Users to Update
Buy Me A Coffee

These stolen cookies allow the threat actors to log in to a Facebook account as the user and gain full access to their profiles, including any business advertising features.

The malware abuses the Chrome Extension API to acquire a list of Facebook-related cookies and encrypts them using an AES key. It then exfiltrates the stolen data via a GET request to the attacker’s server.

“The cookies list is encrypted with AES and attached to the X-Cached-Key HTTP header value,” explains the Guardio Labs report.

“This technique is used here to try and sneak the cookies out without any DPI (Deep Packet Inspection) mechanisms raising alerts on the packet payload.”

The threat actors then decrypt the stolen cookies to hijack their victims’ Facebook sessions for malvertizing campaigns or to promote banned material like ISIS propaganda.

Facebook page of an RV seller taken over by the attacker (Guardio Labs)

The malware automatically changes the login details on the breached accounts to prevent the victims from regaining control over their Facebook accounts. It also switches the profile name and picture to a fake persona named “Lilly Collins.”

At this time, the malicious Google Chrome extension is still present in the Google Chrome Web Store.

However, the security researcher reported the malicious extension to the Chrome Web Store team, which will likely be removed soon. 

(via: Bleepingcomputer)