More than 40 fake extensions for the popular Mozilla Firefox web browser have been linked to a malicious software campaign to steal cryptocurrencies, according to a report published Wednesday by cybersecurity company Koi Security.
The large -scale phishing operation would deploy identity of portfolio tools such as Coinbase, Metamask, Trust Wallet, Phantom, Exodus, OKX, Mymonero, Bitget and others. Once installed, malicious extensions are designed to steal user portfolio identification information.
“Until now, we have been able to link more than 40 different extensions to this campaign, which is still in progress and very lively,” said the company.
Koi Security said that the campaign has been active since at least April and that the most recent extensions were downloaded last week. Extensions Extract the portfolio identification information directly from targeted websites and download it to a distant server controlled by the attacker.
In relation: How a simple browser extension prevented a transfer of $ 80,000 in a malicious portfolio
Malicious software exploits confidence via design
According to the report, the campaign takes advantage of notes, opinions, brand image and features to gain user confidence by appearing legitimate. One of the applications had hundreds of false five -star criticisms.
False extensions also presented names and logos identical to the real services they have come from identity. In several cases, threat stakeholders have also exploited the open source code of official extensions by cloning their applications but with an additional malicious code:
“This low -effect and high impact approach has enabled the actor to maintain the expected user experience while reducing the immediate chances of detection.”
In relation: Microsoft warns against the new Trojan horse from a distance targeting cryptographic wallets
Suspected Russian -speaking threat actor
Koi Security said that “the attribution remains provisional”, but suggested that “multiple signals indicate a Russian threat actor”. These signals include comments in Russian language in the code and metadata found in a PDF file recovered from a malware control and control server involved in the incident:
“Although it is not conclusive, these artefacts suggest that the campaign can come from a group of Russian -speaking threats.”
To mitigate the risks, Koi Security urged users to install browser extensions only with verified publishers. The company has also recommended to process extensions as full software assets, using authorization lists and monitoring of unexpected behavior or updates.
Review: Korea of Crypto Pirates from North Korea TES Chatgpt, Malaysia Road Money Siphone: Asia Express
