Defending Against GlassWorm: Chrome Extension Tactics & Detection
Team,
Just read the latest update on the GlassWorm campaign (via The Hacker News). While the use of Solana dead drops for C2 is a fascinating infrastructure pivot, the payload delivery mechanism is what caught my eye. They are pushing a malicious Chrome extension disguised as an "Offline version of Google Docs."
This is a multi-stage framework that drops a RAT and an info-stealer. The capabilities listed are standard but nasty:
- Keystroke logging
- Cookie and session token dumping
- Screen capturing
- Targeting crypto wallets
Since this extension isn't coming from the Web Store (presumably sideloaded or dropped via the initial vector), standard Web Store policies won't save us here.
I'm drafting a quick PowerShell script to scan the registry for extensions with a version/manifest matching known malicious patterns (like "Offline Docs" or specific unsigned IDs).
# Scan for suspicious Chrome Extensions
$paths = @(
"${env:LOCALAPPDATA}\Google\Chrome\User Data\Default\Extensions",
"${env:LOCALAPPDATA}\Google\Chrome\User Data\Profile *\Extensions"
)
foreach ($path in $paths) {
if (Test-Path $path) {
Get-ChildItem $path -Recurse -Filter "manifest." | ForEach-Object {
$manifest = Get-Content $_.FullName | ConvertFrom-Json
if ($manifest.name -match "Offline Docs" -or $manifest.permissions -contains "tabs") {
Write-Host "Suspicious Extension Found: $($_.Directory.Name)"
}
}
}
}
*Note: This is a heuristic check; you'll need to refine the logic for your environment.*
How are you guys handling extension whitelisting? Are you strictly blocking sideloading via GPO, or do you have EDR rules covering this?
We saw a similar tactic with LastPass-themed malware last month. The Solana dead drop angle is particularly annoying because standard egress filtering often misses legitimate-looking RPC traffic to public nodes. We've started blocking access to known public RPC endpoints on user subnets, forcing them through an internal proxy if devs actually need blockchain access.
Nice script. For anyone using Sentinel, here's a KQL query to hunt for the "offline docs" string in process creation commands, which is how the malware often identifies the target file to corrupt or replace.
DeviceProcessEvents
| where InitiatingProcessFileName == "chrome.exe"
| where ProcessCommandLine contains "offline" and ProcessCommandLine contains "docs"
| project DeviceName, AccountName, ProcessCommandLine
Don't forget to check for the parent process being an unusual downloader or script interpreter.
Good catch on the registry check. If you're an MSP managing fleets, definitely enforce the ExtensionInstallBlocklist via GPO immediately. Even if you don't have a specific ID to block yet, setting it to * to block all and then allowing only specific corporate IDs is the only way to be truly safe against these sideloaded variants.
Don't overlook the manifest. during triage. These extensions often request aggressive permissions like tabs or storage that differ from legitimate offline tools.
To audit your fleet quickly, compare the hash of the installed .crx files against the Web Store version. Here's a quick Python snippet to check for unsigned or tampered extensions in a user profile:
import os, , hashlib
path = os.path.expanduser('~/AppData/Local/Google/Chrome/User Data/Default/Extensions')
# Iterate and verify manifests...
This helps catch cases where the update mechanism was hijacked.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access