Yet another version of the malicious, Facebook account-stealing ChatGPT browser extension for Google Chrome has emerged, representing a new variant in a campaign affecting thousands of users daily.

The extension, discovered by Guardio Labs, was downloaded more than 9,000 times before Google removed it from the Chrome store on March 22.

The extension also had been advertised through sponsored Google search results, aiming at users who were searching for details about OpenAI's latest Chat GPT4 algorithm. Individuals who clicked on sponsored results for the popular generative AI app were directed to a counterfeit "ChatGPT for Google" webpage, then led to the malicious extension's page on Chrome's official store.

Once installed, the malware exploits the Chrome Extension API to pilfer session cookies for Facebook accounts, giving threat actors full access to a victim's Facebook account.

"Based on version 1.16.6 of the open source project, this FakeGPT variant does only one specific malicious action, right after installation, and the rest is basically the same as the genuine code — leaving no reasons to suspect it," Nati Tal, head of Guardio Labs, wrote in a blog post.

The latest version of the malicious extension follows one discovered earlier this month by the researchers at Guardio, which could hijack Facebook Business accounts.

From March 3 to March 9, a minimum of 2,000 individuals per day acquired that malicious "Quick access to ChatGPT" Chrome extension from the Google Play app store.

If the extension was able to access a Facebook Business account, it immediately collected all relevant data related to that account, such as ongoing promotions, available credit, currency, minimum billing threshold, and any linked credit facility.

Malicious Chrome Extensions a Growing Threat

Malicious Chrome extensions have been a global concern for users of the popular browser. In August 2022, a group of McAfee Labs analysts published a list of five browser extensions that engage in cookie stuffing, one of them using the video streaming service Netflix as a hook.

These extensions monitor the browsing activity of the user and insert illegitimate IDs into e-commerce websites, resulting in fabricated affiliate payments.

In that case, the applications were downloaded 1.4 million times, according to their findings.

In November 2022, researchers at Zimperium zLabs uncovered a "Swiss Army knife-like" malicious browser extension called Cloud9, aimed at Chrome and Microsoft Edge users. It enables attackers to seize control of a user's browser session remotely and execute a broad range of attacks.

The Zimperium report noted that because the Cloud9 malware does not target any specific group, it is as much an enterprise threat as it is a consumer threat.

Kimsuky North Korean Threat Actors Target Chrome

More recently, the German Federal Office for the Protection of the Constitution (BfV) and the South Korean intelligence service (NIS) issued a warning of a cyber-espionage group that is said to target government agencies and research organizations worldwide.

The Kimsuky group of cybercriminals, aka Velvet Chollima or Thallium, is thought to be based in North Korea and uses malicious Chrome browser extensions as well as app store services to target individuals conducting research on the inter-Korean conflict.

The hackers use so-called spear-phishing attacks. In these, targets are lured by emails to fake versions of well-known websites disguised as legitimate or tricked into installing a manipulated browser extension.

In the process, login data and other personal information could be intercepted by the attackers. Another method used by the hackers is to install malware unnoticed on Android smartphones via the Google Play app store.