Malicious Browser Extensions Maintain Persistence

Researchers have detected malicious Chrome and Firefox extensions that evade removal by redirecting victims away from pages where extensions are listed and by automatically closing pages containing information on how to disable or delete extensions and add-ons. These browser extensions are designed to increase clicks on YouTube videos and hijack online search results. In some instances, they are automatically installed after a user visits a seemingly benign website, making them difficult to avoid. Malicious extensions that currently use this method to maintain persistence have been identified as Tiempo en colombia en vivo for Chrome and FF Helper Protection for Firefox, although this method will likely be employed by other malicious extension campaigns in the future. The NJCCIC recommends users and administrators who have installed either of these Chrome or Firefox extensions review the Malwarebytes Labs analysis for removal instructions. We advise all members to exercise caution when installing browser extensions and add-ons.