Malicious browser extensions are a common attack vector used by threat actors to steal sensitive information, such as authentication cookies or login credentials, or to manipulate financial transactions.
In the latest example of a similar threat, researchers from Trend Micro have discovered a malicious Google Chrome extension (also working on Chromium-based browsers such as Microsoft Edge, Brave, and Opera,) named “ParaSiteSnatcher” and specifically designed to target users in Latin America. It particularly focuses on Brazilian targets, given that the malicious extension is able to exfiltrate data from several local banks, such as Banco do Brasil and Caixa Econômica Federal, or also to initiate and manipulate transactions in local payment methods such as PIX or Boleto Bancario. In addition, it can also exfiltrate Brazilian Tax ID numbers, for both individuals and businesses, and cookies, unsurprisingly even those used for Microsoft accounts.
But another interesting characteristic of ParaSiteSnatcher is in the way the payload is delivered to the victim, leveraging a VBScript downloader hosted on Dropbox, and also in the way it establishes communication with the attacker’s command and control infrastructure, obtaining a list of obfuscated URLs from Google Cloud Storage, a technique known as Dead Drop Resolver.
Yet another example of two legitimate cloud services exploited for malicious purposes by threat actors. Not only do legitimate cloud services have the implicit trust from individuals and enterprises (which should rather adopt a zero trust approach,) but they are also able to evade legacy secure web gateways, which don’t have the needed contextual awareness to enable adaptive, least-privileged access to applications and data. Finally they provide the attackers with a platform to launch their malicious campaigns, which is simple to manage, immediately available, and resilient: in practice, the same characteristics that drive organizations to move their data and applications to the cloud.
Mitigating the risks of legitimate cloud services exploited for malicious purposes
Dropbox and Google Cloud Storage are among the thousands of cloud services where the Netskope Next Gen SWG can provide adaptive access control, threat protection, and data loss prevention. They are also among the hundreds of cloud services for which instance detection is available. So, in cases where these apps are exploited to deliver a malicious payload, or to host the command and control infrastructure, it is possible to config