The Dormant Colors threat campaign has adopted a new way to steal and monetise data. A recent malvertising campaign from the earlier mentioned threat group distributes malicious data-gathering browser extensions based on reports.
As of now, this malicious entity has been installed by millions of users globally.
The Dormant Colors campaign includes 30 extensions for Microsoft Edge and Google Chrome. These malicious extensions provide colour customisation options on web pages and are disseminated by their operators to targeted devices with zero compromised code to bypass security detection.
However, when users visit the web pages, an advertisement, video promotion, or download will redirect them to another website. Subsequently, the landing site will instruct the unaware user to install a deceiving colour-changer extension.
Unfortunately, the extensions could execute multiple malicious tasks such as hijacking, advertisement insertion to visited pages, side-loading scripts, and browsing histories.
The Dormant Colors threat campaign also targets well-known websites that cater to millions of traffic daily.
The Dormant Colors threat campaign’s operators target different sites such as Amazon, adult websites, and AliExpress. By targeting these entities, they could practice various illegal activities or scams, such as redirection to the affiliation service page or web pages they choose.
Cybersecurity experts believed that these extensions from the threat actors contain security-bypassing modules for telemetry harvesting and code update. Moreover, it could also be a backbone of the servers for collecting data from millions of devices.
These attacks could also classify potential targets and target specific users with several social engineering tactics. Finally, the adversaries could also redirect potential victims to phishing pages to snatch credentials for MS 365, bank websites, social media platforms, and Workspace.
Multiple malicious extensions with identical infrastructures and capabilities are launched by the threat actors to millions of machines globally. Some of these extensions are flagged by security providers as potentially harmful, but most of them are still in operation.
Furthermore, other threat groups are now transferring to other domains, generating new extensions, and modifying functions. Therefore, researchers urge users to minimise useless extensions and be cautious when accessing unknown websites.
