A new malware toolkit offered on an underground cybercrime forum can keep the browser’s address bar unmodified while serving phishing pages, Varonis reports.
Dubbed Stanley, the malware-as-a-service (MaaS) toolkit is priced from $2,000 to $6,000, and was first spotted on January 12, in a post claiming it can create extensions that bypass Google Store validation.
The top-tier pricing provides threat actors with customization options, a management panel, and guaranteed publication on the Chrome Web Store, Varonis has discovered.
“That guarantee is the commercial center of gravity here: it shifts distribution risk away from the buyer and implies the seller has a repeatable way to clear Google’s review process,” the cybersecurity firm notes.
A web-based management interface provides miscreants with a view of infected hosts, displaying information such as IP addresses (used as identifiers), online status, browser history status, and last activity timestamp.
It also allows operators to select individual targets and to configure specific URL hijacking rules for them, which include the source/legitimate URL and the target/phishing URL.
“Rules can be activated or deactivated per infection, allowing operators to stage attacks and trigger them on demand,” Varonis explains.
More importantly, a victim will see in the browser’s address bar the legitimate URL they try to access, while they in fact interact with the attacker-controlled content.
“Beyond passive hijacking, operators can actively lure users to targeted pages through real-time notification delivery. The notifications come from Chrome itself, not a website, so they carry more implicit trust,” Varonis explains.
Analysis of Notely, a minimalist note-taking and bookmarking extension built using Stanley, revealed that its creator packed it with legitimate functionality, but also designed it to request the necessary permissions to take full control of the websites the user visits.
The extension includes a persistent polling mechanism that constantly checks with its command-and-control (C&C) server, implements backup domain rotation, and intercepts website visits to overlay a full-screen iframe containing the phishing page.
“The browser’s URL bar continues to display the legitimate domain (e.g., binance.com), while the victim sees and interacts with the attacker’s phishing page,” Varonis explains.
Stanley’s price range makes it accessible to a broad range of cybercriminals, and malicious extensions that slip into the Chrome Web Store could remain active for months, quietly harvesting credentials, the cybersecurity firm notes.
Related: Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’
Related: Chrome Extensions With 900,000 Downloads Caught Stealing AI Chats
Related: Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors
Related: GhostPoster Firefox Extensions Hide Malware in Icons
