- Experts flag 150 Firefox add-ons which served as infostealers and keyloggers
- Add-ons added to the store are benign, but when they gain a reputation, they are transformed into malware
- The crooks steal crypto and track their victims’ IP addresses
Cryptocurrency users running the Firefox browser should be careful – a major campaign has been detected aiming to steal their tokens right out of their wallets.
Recently, security researchers from Koi Security identified 150 add-ons in the Mozilla store which served as infostealers and keyloggers.
These add-ons started as benign tools, impersonating popular crypto wallets such as MetaMask, TronLink, or Rabby, but after accumulating enough downloads and positive reviews, the attackers replace them with new names and logos and inject malicious code that steals user wallet credentials and IP addresses.
GreedyBear
“The weaponized extensions captures wallet credentials directly from user input fields within the extension’s own popup interface, and exfiltrate them to a remote server controlled by the group,” Koi Security said in its writeup.
“During initialization, they also transmit the victim’s external IP address, likely for tracking or targeting purposes.”
The malicious code was partially generated with the help of AI, the experts said, dubbing the campaign “GreedyBear”, and claiming it raked in more than a million dollars already.
The “bear” in the name could be a reference to Russia, since the operation is apparently complemented by dozens of pirated software websites distributing 500 malware variants, as well as fake Trezor, Jupiter Wallet, and other crypto websites. All of them are written in Russian.
The malware distributed through the website is generic, the researchers added, with LummaStealer standing out as a more notable name.
All of the sites are linked to the same IP address, which means that a single entity is running the entire operation.
Koi Security reported its findings to Mozilla, which swiftly removed all malicious add-ons from its repository. However, users who downloaded them in the meantime will remain at risk until they delete the add-ons from their browsers and refresh all login credentials.
Via BleepingComputer
You might also like
- Over two dozens of fake crypto wallet apps on Play Store are stealing users’ 12-word seed phrase without warning
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers