{
  "name": "Cyberhaven\u2019s preliminary analysis of the recent malicious Chrome extension",
  "slug": "cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension",
  "description": "A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads accounts. The attack involved a phishing email and a malicious OAUTH Google application. The malicious extension collected user data from Facebook.com, including access tokens, user IDs, account information, and ad account details. The data was then exfiltrated to a command and control server. The attack appears to be non-targeted and part of a wider campaign affecting multiple companies.",
  "published": "2025-01-02T14:28:13+00:00",
  "created_at": "2025-01-02T14:28:13+00:00",
  "modified_at": "2025-01-02T14:31:13+00:00",
  "created_at_opencti": "2025-01-02T14:28:13+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-01-02",
    "chrome extension",
    "command and control",
    "data exfiltration",
    "facebook ads",
    "oauth",
    "phishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "149.248.2.160"
      },
      {
        "id": "",
        "name": "149.28.124.84"
      },
      {
        "id": "",
        "name": "api.cyberhaven.pro"
      },
      {
        "id": "",
        "name": "cyberhavenext.pro"
      },
      {
        "id": "",
        "name": "ddf8c9c72b1b1061221a597168f9bb2c2ba09d38d7b3405e1dace37af1587944"
      }
    ],
    "attack_patterns": [
      {
        "id": "64e548d5-24de-4894-9c90-c6e17b3b3bee",
        "name": "T1056.002"
      },
      {
        "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e",
        "name": "T1185"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7",
        "name": "T1199"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ]
  },
  "external_refs": [
    "https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension",
    "https://otx.alienvault.com/pulse/6776b08d4706672ef3a48934"
  ]
}