Trusted Tools Turned Trojan Horses: How Fake SAP Concur Extensions Opened the Door to Silent Enterprise Compromise

Aegiron 10 mins0

Executive Summary

On January 5, a targeted malware campaign was identified abusing the brand of SAP Concur to compromise enterprise users. The campaign leveraged malicious search engine advertisements (malvertising) to distribute a fraudulent browser extension that masqueraded as a legitimate Concur add-on.

Once installed, the extension deployed a covert backdoor malware known as FireClient, granting attackers persistent remote access to the victim system. The attack required no software vulnerabilities, no exploitation of Concur infrastructure, and no compromise of official browser extension stores. The success of the campaign relied entirely on user trust, brand impersonation, and weak browser governance controls commonly found in corporate environments.

This activity represents a high-risk initial access operation, suitable for credential theft, data exfiltration, lateral movement, and follow-on attacks such as ransomware or espionage.

Incident Context and Why This Matters

This campaign is important because it reflects a shift in attacker tradecraft:

  • Attackers increasingly avoid exploits
  • User interaction is now the primary attack surface
  • Browsers are treated as trusted but poorly monitored environments
  • Enterprise software branding significantly lowers suspicion

The campaign demonstrates that traditional patching and vulnerability management would not have prevented this intrusion.

Threat Actor Profile and Motivation

While no specific group attribution is confirmed, the operational characteristics strongly suggest initial-access brokers or financially motivated intrusion operators.

Indicators supporting this assessment:

  • Precise targeting of enterprise software users
  • Paid advertising costs absorbed by attackers
  • Quiet malware with no immediate monetization
  • Persistence and C2 design consistent with long-term access

Likely objectives include:

  • Harvesting enterprise credentials
  • Establishing footholds in corporate networks
  • Selling access to other threat groups
  • Preparing environments for ransomware deployment at a later stage

This was not smash-and-grab malware; it was deliberate and patient.

Campaign Timeline

  • Preparation Phase
    • Registration of look-alike domains
    • Development of fake extension
    • Setup of C2 infrastructure
  • Activation Phase
    • Sponsored ads launched
    • Fake websites promoted
  • January 5
    • Campaign discovered and analyzed
  • Post-Exposure
    • Infrastructure rotation
    • Domain churn to avoid blocking

The rapid rotation after discovery indicates active monitoring by the attackers.

Full Attack Chain Breakdown

Reconnaissance

Attackers identified:

  • SAP Concur’s widespread enterprise use
  • User behavior of searching for productivity extensions
  • Trust in sponsored search results

Weaponization

  • Creation of a malicious browser extension
  • Obfuscated JavaScript embedded
  • Loader logic included to deploy FireClient

Delivery

  • Paid search engine ads
  • Convincing Concur-themed landing pages
  • Manual extension installation instructions

Initial Access

  • User installs extension outside official store
  • Browser security warnings ignored or misunderstood

Execution

  • Extension executes malicious scripts
  • FireClient payload dropped or fetched remotely
  • Execution occurs using native OS mechanisms

Persistence

  • Registry autoruns
  • Scheduled tasks
  • Extension auto-load behavior

Command and Control

  • Encrypted web traffic
  • Regular low-frequency beaconing
  • Commands issued on demand

Actions on Objectives

  • System reconnaissance
  • Credential access
  • Preparation for secondary payloads

Browser Extension Abuse

The extension was central to the attack and served multiple purposes:

  • Initial delivery
  • Persistence mechanism
  • Execution proxy

Key abuse techniques:

  • Excessive permission requests
  • Background execution without user awareness
  • Obfuscated JavaScript to evade static inspection
  • Ability to invoke system processes indirectly

Many enterprises lack:

  • Extension allowlists
  • Centralized browser telemetry
  • Alerts for sideloaded extensions

This made detection delayed and difficult.

Malware Technical Analysis: FireClient

FireClient is best described as a minimalistic, modular backdoor.

Functional Capabilities

  • Remote shell execution
  • File staging and transfer
  • Host profiling
  • Secondary payload delivery
  • Persistence across sessions

Operational Characteristics

  • Runs from user-writable directories
  • Avoids kernel-level behavior
  • Low CPU and memory usage
  • Designed to remain unnoticed

FireClient’s design suggests it is intended to be one component in a larger intrusion chain, not the final payload.

Infrastructure and C2 Behavior

Command-and-Control Traits

  • Newly registered domains
  • Short-lived hosting
  • HTTPS traffic to blend with normal browsing
  • Regular but non-noisy beacon intervals

Defensive Evasion

  • Domain churn
  • No hard-coded IP reliance
  • Traffic patterns similar to SaaS applications

Impact Assessment

Confirmed Impact

  • Compromise of individual corporate endpoints
  • Exposure of credentials used on infected systems
  • Loss of endpoint integrity

Potential Impact

  • Lateral movement into internal networks
  • Access to financial and travel records
  • Privilege escalation via credential reuse
  • Secondary malware deployment

This campaign should be treated as a pre-ransomware or pre-espionage intrusion.

Indicators of Compromise

Endpoint Indicators

  • Browser spawning PowerShell or CMD
  • Unsigned executables in user directories
  • Unexpected autorun mechanisms

Browser Indicators

  • Sideloaded extensions
  • Excessive permission scopes
  • Obfuscated scripts within extensions

Network Indicators

  • Beacon-like outbound traffic
  • New domains contacted shortly after extension install
  • HTTPS traffic with unusual timing patterns

Detection

Splunk Detection Queries (SPL)

Browser → Shell Execution

index=endpoint
Parent_Process_Name IN ("chrome.exe","msedge.exe","firefox.exe")
Process_Name IN ("powershell.exe","cmd.exe","wscript.exe","cscript.exe")
| stats count by host, user, Parent_Process_Name, Process_Name, Command_Line

Unsigned Executables from User Paths

index=endpoint
Process_Name=*.exe
(Path="*\\Users\\*" OR Path="*\\AppData\\*" OR Path="*\\Temp\\*")
Signed=false
| stats count by host, user, Process_Name, Path

Extension-Related Network Beaconing

index=network
src_process IN ("chrome.exe","msedge.exe","firefox.exe")
dest_port IN (80,443)
| bucket _time span=5m
| stats count by src_ip, dest_domain, _time
| where count > 3 AND count < 25

Microsoft Sentinel (KQL) Detection Queries

Browser Launching Script Engines

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe")
| where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","cscript.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine

Suspicious Persistence Creation

DeviceRegistryEvents
| where RegistryKey contains "Run"
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","powershell.exe")
| project Timestamp, DeviceName, RegistryKey, RegistryValueData

Low-Volume Beaconing Detection

DeviceNetworkEvents
| where RemotePort in (80,443)
| summarize count() by DeviceName, RemoteUrl, bin(Timestamp, 5m)
| where count_ between (3 .. 20)

Response and Containment Guidance

Immediate Actions

  • Isolate affected systems
  • Remove unapproved extensions
  • Reset all credentials used on infected hosts
  • Block known malicious domains

Strategic Improvements

  • Enforce browser extension allowlists
  • Disable extension sideloading
  • Monitor browser-spawned child processes
  • Treat browsers as high-risk execution environments

Risk Rating

Overall Risk: High

This rating reflects:

  • Enterprise targeting
  • Persistent remote access
  • Likely follow-on attacks
  • Minimal reliance on exploits

Final Threat Intelligence Assessment

This campaign illustrates a modern intrusion reality: initial access no longer requires technical sophistication—only trust abuse. By combining malvertising, browser extensions, and enterprise branding, attackers achieved reliable access while bypassing many traditional controls.

Organizations that do not actively monitor browser behavior, extension installations, and user-initiated software actions remain highly exposed to similar campaigns.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.