A new malware-as-a-service named Stanley enables attackers to create malicious Chrome extensions designed to bypass official security reviews for publication on the Chrome Web Store. These extensions use deceptive iframes to overlay phishing content on legitimate websites, allowing hackers to steal credentials while the browser address bar continues to display the original, trusted URL.

Researchers from the security firm Varonis recently identified the Stanley project, which is named after the alias used by its developer. This service specializes in distributing malicious browser extensions that can be silently installed across various platforms, including Chrome, Edge, and Brave. The primary mechanism of the malware involves intercepting user navigation and covering the intended webpage with a full-screen iframe. This technique allows attackers to present fraudulent login forms or phishing content while the victim believes they are still interacting with a legitimate site because the address bar remains unchanged.

The service is marketed through several subscription tiers, with the premium Luxe Plan providing a dedicated web panel and comprehensive support for navigating Google’s extension review process. This administrative panel grants operators the ability to toggle hijacking rules in real-time or send aggressive push notifications directly to a victim's browser to lure them toward specific phishing pages. To increase its effectiveness, Stanley includes features for identifying victims by their IP addresses, which allows for precise geographic targeting and the ability to track individuals across different sessions and devices.

From a technical standpoint, the malware maintains a persistent connection with its command-and-control server by polling for instructions every ten seconds. It also utilizes a domain rotation strategy, which serves as a backup to ensure the malicious infrastructure remains functional even if its primary domains are taken down by security providers. This resilience, combined with the ability to customize the extension’s behavior, makes it a versatile tool for various types of cyberattacks beyond simple credential theft.

Despite its effectiveness, the actual code behind Stanley is described by researchers as unpolished and relatively simple. The software contains Russian language comments, inconsistent error handling, and lacks the sophisticated obfuscation often found in high-end malware. It relies on well-known, straightforward techniques rather than groundbreaking exploits. Varonis suggests that the author prioritized functionality and ease of use for the buyer over technical elegance, focusing on a distribution model that leverages the inherent trust users place in official app stores.

The true threat of Stanley lies in its promise to bypass the Chrome Web Store’s vetting process, which traditionally serves as a major barrier for malware distribution. By successfully placing malicious add-ons on a platform trusted by millions, the developers of Stanley have created a significant bridge between amateur attackers and high-value targets. This distribution model represents a shift toward more accessible cybercrime, where the difficulty of infecting a target is minimized through the exploitation of reputable software ecosystems.

Source: Malware Service Promises Phishing Extensions On Chrome Web Store