Browser Hijacker Posing as Color Swapper Infects Millions

Malicious browser extensions hiding behind some sort of innocuous functionality such as a color changer are nothing new. Dormant Colors, however, is a story apart.

Dormant Colors is the name of a group of rogue browser extensions that were pushed aggressively through a large-scale malvertising campaign and ended up installed in millions of browsers.

The Dormant Colors constellation of malicious extensions was discovered by researchers with Guardio Security. Their report details around 30 different browser extensions that were distributed through various methods, including being hosted on the Chrome and Edge addon stores. The malicious code was side-loaded to avoid detection for as long as possible.

One of the main distribution vectors for Dormant Colors extensions was using misleading pages that force the user to install the extension to see the alleged content on the misleading page - another common tactic used to push a lot of browser hijackers, but usually using push notifications and not forcing an extension install.

The Dormant Color extensions perform search hijacking and return matches from sponsored pages, affiliated with the entity behind the campaign pushing Dormant Colors.

The malicious extensions can also append affiliate links to the URLs that the user hits when visiting a staggering 10 thousand sites - another method to generate revenue on the back of the unsuspecting victim. Once such an affiliate URL is loaded in the browser, every purchase made by the victim will generate affiliate bonus payments for the Dormant Color makers.

The fact that a lot of those extensions were left up on the official stores for both Chrome and Edge and accumulated such a vast amount of downloads casts a shade on the level of security offered by such official platforms, which are usually considered safe.