Just last month, a joint cybersecurity investigation revealed that DarkSpectre, a Chinese threat actor, was behind several malicious browser extension campaigns. These malicious attacks have affected at least 8.8 million users globally. Together these campaigns go more than seven years into the future. In particular, they went after users of the popular browsers such as Google Chrome, Microsoft Edge and Mozilla Firefox. The Koi Security Team analyzed DarkSpectre’s activities and they were deemed to be highly sophisticated. They focused most on the creeping, all-encompassing threat this group poses.
DarkSpectre’s campaigns have already impacted over 2.2 million users across these four major browsers. The Actor uses theoretically innocuous utilities and VPN functionality that in the end, deliver malicious JavaScript to unwary users. This code is used to hijack affiliate links and insert tracking code. It engages in click and ad fraud, which should alarm Universal Music Group with regard to user privacy and data security.
Malicious Campaigns and Tactics
DarkSpectre’s most unusual campaign, codenamed GhostPoster, intentionally seeks to discriminate and track users of only one web browser—Firefox. The threat actor leverages GhostPoster to distribute malicious JavaScript code. This code breaks affiliate links and facilitates fraudulent click-throughs that earn dirty money.
On top of all this, DarkSpectre runs a separate project called The Zoom Stealer. This campaign includes a suite of 18 identical extensions available across Chrome, Edge, and Firefox. Corporate meeting intelligence The Zoom Stealer seeks to undermine corporate meeting intelligence by stealing sensitive data around online meetings. It gathers data on the speakers and hosts featured in webinars, such as their name, title, bio, social profile photo and company.
These extensions often request access to upwards of 28 separate video conferencing tools. This even extends to widely used applications such as Google Meet, Zoom, and GoTo Webinar. By pretending to be delivery tools for enterprise-grade videoconferencing applications, DarkSpectre seeks to gain a foothold in corporate environments and siphon valuable data.
Evidence of Corporate Espionage
The actions of DarkSpectre unequivocally point to prima facie issues with corporate espionage. Cybersecurity experts have been warning about the threat of these campaigns for years, arguing that the fallout from these campaigns extend well past consumer fraud.
“This isn’t consumer fraud – this is corporate espionage infrastructure,” said Tuval Admoni and Gal Hachamov, highlighting the serious nature of the threat posed by DarkSpectre’s actions. The group’s advanced, methodical efforts to penetrate corporate networks serves as a reminder of the dangers that organizations encounter in our modern, digital world.
According to Koi Security’s analysis, DarkSpectre is presently in its “trust-building phase.” They are building a moat by signing up users and gaining trust through the provision of benign-seeming extensions.
“They’re still in the trust-building phase, accumulating users, earning badges, waiting.” – Koi
This approach provides attackers with an opportunity to embed themselves further into users’ operating environments before deploying their harmful maneuvers.
Technical Insights and Infrastructure
Investigators have found numerous technical breadcrumbs connecting DarkSpectre to its Chinese roots. Deploying command-and-control servers on Alibaba Cloud is one strategy used. Now expanding the scope further, Internet Content Provider (ICP) registrations associated with various Chinese provinces are another major factor. These connections further perpetuate the idea that DarkSpectre is a serious, organized group with deep resources.
As the little-known campaign against this growing threat shows, it’s a race that’s demanding constant awareness from both users and organizations. We know that cyber threats are always changing. In order to protect sensitive information, it’s important to learn the tactics employed by groups such as DarkSpectre.