Cyberhaven’s preliminary analysis of the recent malicious Chrome extension
Jan. 2, 2025, 3:31 p.m.
Tags
External References
Description
A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads accounts. The attack involved a phishing email and a malicious OAUTH Google application. The malicious extension collected user data from Facebook.com, including access tokens, user IDs, account information, and ad account details. The data was then exfiltrated to a command and control server. The attack appears to be non-targeted and part of a wider campaign affecting multiple companies.
Date
Published: Jan. 2, 2025, 3:28 p.m.
Created: Jan. 2, 2025, 3:28 p.m.
Modified: Jan. 2, 2025, 3:31 p.m.
Indicators
ddf8c9c72b1b1061221a597168f9bb2c2ba09d38d7b3405e1dace37af1587944
149.248.2.160
149.28.124.84
api.cyberhaven.pro
cyberhavenext.pro
Attack Patterns
T1056.002
T1185
T1573.002
T1059.007
T1199
T1102
T1041
T1566