Image: Qi'anxin Threat Intelligence Center
The Qi’anxin Threat Intelligence Center has uncovered a massive cyber operation impacting over a million internet users worldwide. This campaign, active since 2021, involves the distribution of a malicious browser plugin dubbed “Ghost Plugin.” This insidious plugin hijacks search engine results, manipulates e-commerce links, and tracks user browsing activity, posing a significant threat to online privacy and security.
The Ghost Plugin has infiltrated systems on a global scale, with millions of terminals affected. The malicious domain name associated with this operation ranks high on OpenDNS, indicating its widespread reach. Even within China, the related domain names see a substantial number of visits.
One of the primary functions of the Ghost Plugin is to hijack Google search results. By bypassing Google’s Content Security Policy (CSP) mechanism, the attackers inject JavaScript code into search pages, manipulating the displayed results. This manipulation can lead users to malicious websites or expose them to unwanted content.
Beyond search result manipulation, the Ghost Plugin also injects JavaScript code into any website visited by the infected user. This allows the attackers to track the victim’s browsing habits and gather valuable information about their online activity. When the victim visits an e-commerce site, the malicious code intercepts and modifies links, potentially redirecting users to phishing pages or sites designed to steal financial information.
The attackers employ a sophisticated infrastructure to support their operation. The domain name “overbridgenet.com” plays a central role, hosting various malicious scripts and resolving to an IP address that harbors multiple suspicious domains with high traffic volumes.
The Ghost Plugin is often distributed through cracked software installation packages, which are uploaded to popular download sites. Once a victim downloads and executes such a package, a series of malicious components are released onto their system. These components work together to establish persistence, inject malicious code into browser processes, and ultimately load the Ghost Plugin.
The plugin itself is a complex piece of malware, comprising various JavaScript files and a background service worker process. These components work in tandem to bypass security mechanisms, manipulate web pages, and collect user data.
The attackers leverage various techniques to evade detection and maintain their operation. They use obfuscation to hide their code, register their own API keys for legitimate services to track victims, and even disable browser XSS protection strategies.
The Qi’anxin Threat Intelligence Center’s report provides a detailed analysis of the Ghost Plugin’s operation, including its attack paths, technical details, and the potential impact on victims. This information is crucial for raising awareness and developing effective countermeasures against this threat.
Users are strongly encouraged to be vigilant about their online activity, keep their software updated, and avoid downloading files from untrusted sources.
