New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads.
Collectively called “CacheFlow” the 28 extensions in question including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock made use of a sneaky trick to mask its true purpose: Leverage Cache-Control HTTP header as a covert channel to retrieve commands from an attacker-controlled server.
All the backdoored browser add-ons have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores.
The extensions not only avoided infecting users who were likely to be web developers something that was deduced by computing a weighted score of the extensions installed or by checking if they accessed locally-hosted websites they were also configured to not exhibit any suspicious behavior during the first three days post-installation.
“CacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests.