Researchers at Guardio Labs have published a report detailing a new malvertizing campaign delivering malicious Google Chrome and Microsoft Edge extensions that steal searchers and browser data and embed affiliate links into web pages.

The researchers dubbed the campaign “Dormant Colors” because most of extensions it involves provide color optimization functions and contain no malicious code when they first installed on a machine.

“It starts with the trickery malvertizing campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction,” the report reads.

Guardio Labs observed at least 30 variants of these extensions hosted in both Chrome and Edge official web stores, amassing more than a million installs.

A malicious extension includes stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users, classifying potential targets, and being able to target specific users with many kinds of social engineering attack vectors.

The infection chain begins with advertisements designed to trick a user into installing a seemingly harmless extension. Once the victim installs the extension, they are redirected to yet another advertisement, at the same time, malicious scripts are side-loaded that modify the browser behavior.

When performing search hijacking, the extension will redirect search queries to return results from sites affiliated with the extension's developer. This scheme allows the threat actors generate income from ad impressions and the sale of search data. Furthermore, the campaign relies on the affiliation to 10,000 targeted sites to generate additional income. Once a user visits a site from the list, they get redirected to the same page but this time with affiliated links to the URL, which would appear as if the user were directed by the affiliate. Thus, any purchase made by the user on the website will generate an affiliation fee for the campaign’s operators.

“It is possible to quickly reconfigure the operation using the stealth update module, and also right on the server side, to add other even more malicious flows — starting from presenting phishing fake log-in pages instead of account login pages for domains like Facebook, Twitter, and even bank accounts and organization cloud account portals,” the researchers noted.

“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without. Adding to that, the code injection technique analyzed here is a vast infrastructure for mitigation and evasion and allows leveraging the campaign to even more malicious activities in the future,” Guardio Labs warned.