A long time ago, browsers were wrappers for HTTP web requests and little else. However, the modern browser is crammed with so many features that it is practically an operating system. This talk will demonstrate how to (ab)use years of legacy features. In addition, it will show how recent additions to Google Chrome mimic the capabilities of a conventional C2 implant while evading traditional endpoint protection.
We will introduce our new open-source framework “ChromeAlone” which implements features such as proxying raw TCP traffic, phishing for Yubikey USB codes, dumping cookies and credentials, keylogging browser windows, and executing shell commands from Chrome. Our implementation leverages Chrome’s built-in features and sideloads malicious components without user interaction. Additionally, it obfuscates code using WebAssembly to evade detection. This research exposes significant security implications of Chrome’s expanding feature set. Moreover, it highlights the challenges of securing modern browsers against abuse.