For the past few years, malware authors have abused the extension development functionality of Chrome and Firefox. More often than not, these extensions are abused for standard crimeware activities, such as ad click fraud, cryptocurrency mining, or stealing banking credentials. But this is only scratching the surface of what is possible if the appropriate browser APIs are abused. Extensions can act as a foothold into a target's internal network, provided a single user can be convinced to click two buttons. As a post-exploitation mechanism, extensions can be side-loaded with the ability to read and write files to disk. These actions will all be performed from the browser process(es) and likely go undetected by conventional endpoint protection solutions. This talk will discuss the creation, deployment, and usage of malicious browser extensions so that other red teamers can add this attack vector to their toolkit.
Michael Weber is a senior security consultant with NCC Group. Michael loves making .NET do things that no sane human would ever expect it to perform, running amok on red team engagements, and taking apart antivirus products. Prior to NCC Group, Michael worked as a malware reverse engineer where he learned that 4 byte XOR is the ultimate way to circumvent all signatures.