More than 40 fake extensions for the popular web browser Mozilla Firefox have been linked to an ongoing malware campaign to steal cryptocurrencies, according to a report published Wednesday by cybersecurity firm Koi Security.
The large-scale phishing operation reportedly deploys extensions impersonating wallet tools such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget and others. Once installed, the malicious extensions are designed to steal users’ wallet credentials.
“So far, we were able to link over 40 different extensions to this campaign, which is still ongoing and very much alive,” the company said.
Koi Security said the campaign has been active since at least April, and the most recent extensions were uploaded last week. The extensions reportedly extract wallet credentials directly from targeted websites and upload them to a remote server controlled by the attacker.
Related: How a simple browser extension prevented an $80K transfer to a malicious wallet
Malware exploits trust through design
Per the report, the campaign leverages ratings, reviews, branding and functionality to gain user trust by appearing legitimate. One of the applications had hundreds of fake five-star reviews.
The fake extensions also featured identical names and logos to the real services they impersonated. In multiple instances, the threat actors also leveraged the official extensions’ open-source code by cloning their applications but with added malicious code:
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.”
Related: Microsoft warns of new remote access trojan targeting crypto wallets
Russian-speaking threat actor suspected
Koi Security said “attribution remains tentative,” but suggested “multiple signals point to a Russian-speaking threat actor.” Those signals include Russian-language comments in the code and metadata found in a PDF file retrieved from a malware command-and-control server involved in the incident:
“While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group.“
To mitigate risk, Koi Security urged users to install browser extensions only from verified publishers. The firm also recommended treating extensions as full software assets, using allowlists and monitoring for unexpected behavior or updates.
Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express
