A recent malicious operation known as GhostPoster was discovered to have compromised numerous Mozilla Firefox browser extensions by embedding harmful code within their logo files. This campaign successfully leveraged this technique against 17 different add-ons, which collectively saw more than 50,000 downloads before their removal. The primary objectives of the hidden code were to hijack legitimate affiliate links for financial gain, inject various tracking codes into user sessions, and execute sophisticated forms of click and advertisement fraud. The security experts at Koi Security were responsible for identifying and disclosing the full scope of this campaign, confirming that all the compromised extensions are no longer accessible to users.

The browser add-ons involved in the attack were advertised to users under various functionalities, encompassing categories such as virtual private networks, utility tools for screenshots, and different versions of ad blockers. Furthermore, the list included several unofficial renditions of the popular Google Translate service. The specific publishing dates for these malicious programs varied, with the oldest known instance being an add-on named Dark Mode, which was first made available to the public on October 25, 2024. This particular extension promised users the ability to apply a dark visual theme across all websites they visited.

While these programs marketed themselves as useful utilities, security researchers Lotan Sery and Noga Gouldman confirmed that their true purpose was significantly more nefarious. They stated that the extensions secretly deployed a sophisticated, multi-stage malware payload designed to monitor all of the victim’s browsing activity. Critically, this malware actively works to disable the browser’s built-in security protections, which makes the user’s system more vulnerable. Most dangerously, the payload also establishes a hidden backdoor, creating an avenue for unauthorized remote code execution on the user’s machine.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

The malicious activity is triggered right at the beginning of the extension’s load process when the browser fetches the associated logo file. Once the file is loaded, the embedded malicious code begins to parse its contents, specifically searching for a predefined marker containing the sequence of three equals signs, “===”, which indicates where the hidden JavaScript code begins. This extracted code acts as a loader, whose sole purpose is to connect to external command-and-control servers, specifically identified as “www.liveupdt[.]com” or “www.dealctr[.]com”.

Following a successful connection to one of these external servers, the loader is then able to retrieve the final and most dangerous component of the attack: the main payload. An added stealth mechanism in the process is that the loader is configured to wait a mandatory 48-hour period between any failed attempts to reach out to the external server and retrieve the malicious code. This delay is likely implemented to evade detection by automated security scanning processes and to help ensure the successful deployment of the final malicious code without raising immediate suspicion.

Source: GhostPoster Malware Found In Seventeen Firefox Addons With 50000 Downloads Users