- 868
- 241
Two Chrome extensions, known collectively as Phantom Shuttle, have been discovered. They pose as proxy plugins, but in reality, they intercept user traffic and steal confidential data.
According to the company's researchers,Socket , these extensions have been active since at least 2017:
Phantom Shuttle's primary audience is users in China, including those working in foreign trade who need to test connections from different regions of the country.
Both extensions were published under the same developer's name and are marketed as tools for proxying traffic and testing network speeds. Subscriptions for both range from $1.40 to $13.60.
Phantom Shuttle routes all user traffic through proxies controlled by the attackers. Access to the proxy is achieved using hardcoded credentials, and malicious code is embedded at the beginning of the legitimate jQuery library.
The attackers are noted to have hidden the hardcoded credentials using a custom character encoding scheme. Using a web traffic handler, the extensions intercept HTTP authentication requests on any website visited by the victim.
To automatically route traffic through the proxy, the malicious extensions dynamically change proxy settings in Chrome using an autoconfiguration script.
In default (smart mode), traffic from more than 170 domains is routed through the proxy, including developer platforms, cloud service consoles, social networks, and websites with adult content. Exceptions include local networks and the attackers' command-and-control (C&C) domain (to prevent disruption and detection of the malware).
As a result, malicious extensions can intercept data from any form—credentials, payment card details, passwords, personal information, and so on. Socket's report also notes that the malware steals session cookies from HTTP headers and extracts API tokens from requests.
At the time of publication of this research, both extensions were still available in the Chrome Web Store.
According to the company's researchers,Socket , these extensions have been active since at least 2017:
- Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) — 2000 users (published November 26, 2017);
- Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) - 180 users (published April 27, 2023).
Phantom Shuttle's primary audience is users in China, including those working in foreign trade who need to test connections from different regions of the country.
Both extensions were published under the same developer's name and are marketed as tools for proxying traffic and testing network speeds. Subscriptions for both range from $1.40 to $13.60.
Phantom Shuttle routes all user traffic through proxies controlled by the attackers. Access to the proxy is achieved using hardcoded credentials, and malicious code is embedded at the beginning of the legitimate jQuery library.
The attackers are noted to have hidden the hardcoded credentials using a custom character encoding scheme. Using a web traffic handler, the extensions intercept HTTP authentication requests on any website visited by the victim.
To automatically route traffic through the proxy, the malicious extensions dynamically change proxy settings in Chrome using an autoconfiguration script.
In default (smart mode), traffic from more than 170 domains is routed through the proxy, including developer platforms, cloud service consoles, social networks, and websites with adult content. Exceptions include local networks and the attackers' command-and-control (C&C) domain (to prevent disruption and detection of the malware).
As a result, malicious extensions can intercept data from any form—credentials, payment card details, passwords, personal information, and so on. Socket's report also notes that the malware steals session cookies from HTTP headers and extracts API tokens from requests.
At the time of publication of this research, both extensions were still available in the Chrome Web Store.