More than 40 fake extensions for the popular web browser Mozilla Firefox has been linked to a ongoing malware campaign to steal cryptocurrencies, according to a report published Wednesday by cybersecurity firm Koi Security.
The Large -scale phishing operation Reported Deploys Extensions that indicate tools in purse Such as Coinbase, Metamask, Trust Wallet, Phantom, Exodus, Okx, MyMonero, Bitget and more. When installed, malicious extensions are designed to steal users’ purse credentials.
“Right now, we’ve been able to linked more than 40 different extensions to this campaign, which is still constant and very alive,” the company said.
KOI Security said the campaign has been active from at least in April, and the latest extensions have been uploaded last week. Extensions have been reported to pick up the purse credentials directly from the targeted websites and upload them to a remote server controlled by the attack.
Related: How a simple browser extension prevented a $ 80k transition to a malicious purse
Malware exploits trust by design
Each report, the campaign uses ratings, reviews, bonds and operating to gain user trust by the emergence of legitimate. One of the applications has hundreds of fake five-star tests.
Fake extensions also feature identical names and logos on the real services they introduce. In many cases, threat actors have also seized the official extension’s official so-source code by cloning their applications but with the added malignant code:
“Low-effective, high-impact approach allows the actor to maintain the user’s expected experience while reducing the chances of immediate discovery.”
Related: Microsoft warns new Remote Access Trojan that targets crypto wallets
Russian -speaking actor is suspected
Koi Security said “claiming remains temporary,” but suggested “many signals pointing to a Russian-speaking actor.” Those signals include Russian language comments on code and metadata found on a PDF file obtained from a malware command-and-control server involved in the incident:
“While not confident, artifacts suggest that the campaign may come from a Russian -speaking group -speaking group.”
To ease the risk, KOI Security encouraged users to install browser extensions only from verified publishers. The firm also recommends treating extensions as full software assets, using allowlists and monitoring for unexpected behavior or updates.
Magazine: North Korea Crypto Hackers Tap Chatgpt, Malaysia Road Money Siphoned: Asia Express
