The “Dormant Colors” is yet another vast campaign of malicious extensions with millions of active installations worldwide, this time with a color-related theme and full of deception all through the chain.
The campaign starts with malvertising in the form of ads on web pages or redirects from videos and download links. If a site visitor clicks on the ad, they are redirected to a page informing them they need to download an extension. Once visitors confirm the download, one of 30 extensions is installed on the browser. The extension then redirects users to various pages that side-load malicious scripts, which instruct the extension to begin hijacking user searches and inserting affiliate links.
When hijacked user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. The extension also it includes stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users, classifying potential targets.
The extension developers could easily direct these extensions to send users to phishing pages, or even directly point users to a malware download.