Chrome Session Cookie Theft via Malicious Extension Bypasses MFA

Attackers are abusing Chrome Native Messaging to deploy a malicious extension that steals session cookies and bypasses MFA protections.

CSBadmin
2 Min Read

How the Attack Works

A new phishing campaign uses email attachments disguised as PDFs to deliver a malicious Chrome extension. The attachment, named with a double extension like .pfd.js, is actually an obfuscated JavaScript file that initiates an infection chain. Once opened, the file drops components into the temporary folder, where a PowerShell script prepares a Chrome extension and modifies browser policy settings to make the extension appear as an administrator controlled deployment. This allows the malware to sidestep normal Chrome extension installation warnings.

The malicious extension then communicates with a native companion host through Chrome Native Messaging, a legitimate feature that bridges the browser sandbox with the operating system. This technique allows the attackers to execute PowerShell commands on the host system remotely. The extension collects browser session cookies, open tabs, URLs, language settings, and device fingerprint data.

Impact and Risk

The stolen session cookies enable attackers to hijack active browser sessions without needing user passwords. This approach bypasses multi factor authentication (MFA) protections because the attacker operates within an already authenticated session. The attack also provides a remote command channel, allowing operators to enumerate system drives and launch additional scripts. Researchers note that abusing Chrome Native Messaging makes the attack blend into normal browser behavior, complicating detection. Users are advised to verify email attachments, check Chrome extensions regularly, and sign out of important accounts after use to invalidate session tokens.

Source: Malwarebytes

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.