Rewrite the
More than 40 fake extensions for the popular web browser Mozilla Firefox have been linked to an ongoing malware campaign to steal cryptocurrencies, according to a report published Wednesday by cybersecurity firm Koi Security.
The large-scale phishing operation reportedly deploys extensions impersonating wallet tools such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, MyMonero, Bitget and others. Once installed, the malicious extensions are designed to steal users’ wallet credentials.
“So far, we were able to link over 40 different extensions to this campaign, which is still ongoing and very much alive,” the company said.
Koi Security said the campaign has been active since at least April, and the most recent extensions were uploaded last week. The extensions reportedly extract wallet credentials directly from targeted websites and upload them to a remote server controlled by the attacker.
Related: How a simple browser extension prevented an $80K transfer to a malicious wallet
Malware exploits trust through design
Per the report, the campaign leverages ratings, reviews, branding and functionality to gain user trust by appearing legitimate. One of the applications had hundreds of fake five-star reviews.
The fake extensions also featured identical names and logos to the real services they impersonated. In multiple instances, the threat actors also leveraged the official extensions’ open-source code by cloning their applications but with added malicious code:
“This low-effort, high-impact approach allowed the actor to maintain expected user experience while reducing the chances of immediate detection.”
Related: Microsoft warns of new remote access trojan targeting crypto wallets
Russian-speaking threat actor suspected
Koi Security said “attribution remains tentative,” but suggested “multiple signals point to a Russian-speaking threat actor.” Those signals include Russian-language comments in the code and metadata found in a PDF file retrieved from a malware command-and-control server involved in the incident:
“While not conclusive, these artifacts suggest that the campaign may originate from a Russian-speaking threat actor group.“
To mitigate risk, Koi Security urged users to install browser extensions only from verified publishers. The firm also recommended treating extensions as full software assets, using allowlists and monitoring for unexpected behavior or updates.
Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express
in well organized HTML format with all tags properly closed. Create appropriate headings and subheadings to organize the content. Ensure the rewritten content is approximately 1500 words. Do not include the title and images. please do not add any introductory text in start and any Note in the end explaining about what you have done or how you done it .i am directly publishing the output as article so please only give me rewritten content. At the end of the content, include a “Conclusion” section and a well-formatted “FAQs” section.