""Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations," Socket security researcher Kush Pandya said. "Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 [command-and-control] server.""
"Once unsuspecting users make the payment, they receive VIP status and the extensions auto-enable "smarty" proxy mode, which routes traffic from over 170 targeted domains through the C2 infrastructure. The extensions work as advertised to reinforce the illusion of a functional product. They perform actual latency tests on proxy servers and display connection status, while keeping users in the dark about their main goal, which is to intercept network traffic and steal credentials. This involves malicious modifications prepended to two JavaScript libraries, namely, jquery-1.12.2.min.js and scripts.js, that come bundled with the extensions. The code is designed to automatically inject hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge across al"
Two Google Chrome extensions named Phantom Shuttle provide a paid VPN-like service while intercepting user traffic and capturing credentials. One variant has about 2,000 users and the other about 180 users, both available for download. Subscriptions range from ¥9.9 to ¥95.9 CNY ($1.40–$13.50 USD) and grant VIP status that auto-enables a "smarty" proxy mode routing traffic from over 170 targeted domains through an attacker-controlled C2 infrastructure. The extensions perform real latency tests and display connection status to appear legitimate while modifying bundled JavaScript libraries to inject hard-coded proxy credentials (topfany / 963852wei) into HTTP authentication challenges and continuously exfiltrate user data.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]