Browser Extensions (T1176)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Browser Extensions

Associated Tactics

  • Persistence

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description Source(s)
Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017. Chrome Extension Crypto Miner
Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021. xorrior chrome extensions macOS
Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017. Chrome Extensions Definition
De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018. ICEBRG Chrome Extensions
Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017. Malicious Chrome Extension Numbers
Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved September 12, 2024. Chrome Extension C2 Malware
Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017. Catch All Chrome Extension
Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017. Banker Google Chrome Extension Steals Creds
Microsoft Threat Intelligence. (2020, December 10). Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers. Retrieved February 26, 2024. Browser Adrozek
Raggi, Michael. Proofpoint Threat Research Team. (2021, February 25). TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations. Retrieved February 26, 2024. Browers FriarFox
Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017. Stantinko Botnet
Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018. Wikipedia Browser Extension