The extensions were apparently designed to help users download videos from some of the most popular platforms out there, including Facebook, Vimeo, Instagram, VK, and others.
These extensions were designed to redirect users to other websites. As soon as the user clicks a link, information about the action is sent to the attacker’s control server, which can respond with a command to redirect to a hijacked URL before redirecting again to the site they wanted to visit.
In addition to getting a log of all user clicks in the browser, the attackers can exfiltrate personal and other types of information from the infected machines, including birth dates and email addresses, along with device data such as login times, device name, operating system, browser, and IP addresses.
The extensions might have been built with the malware inside right from the start, or could have gotten the code in an update, after the extensions gained popularity.
The malware also has the ability to hide itself, which makes it difficult to detect. For example, if the user searches for one of the malware’s domains, or if the user is a web developer, then no nefarious activities are performed.
It avoids infecting people more skilled in web development, since they could more easily find out what the extensions are doing in the background.
Both Google and Microsoft have been informed on the findings and they have started removing the problematic extensions. Users are advised to either disable or uninstall them.