- Experts report 150 Firefox Additions that have served as infostators and Keyloggers
- The complementary modules added to the store are mild, but when they acquire a reputation, they are transformed into malicious software
- The crooks fly the crypto and follow the IP addresses of their victims
Cryptocurrency users who direct the Firefox browser should be careful – a major campaign has been detected aimed at flying their chips as soon as they leave their wallets.
Recently, Koi Security security researchers identified 150 additional modules in the Mozilla store which served as infostalers and Keyloggers.
These complementary modules have started as mild tools, the identity of popular cryptographic portfolios such as Metamask, Tronlink or Rabby, but after having accumulated enough downloads and positive criticisms, attackers replace them with new names and logos and injected malware that steals identification information and IP addresses.
Gourmand
“Armed extensions capture the portfolio identification information directly from the user input fields in the contextual interface of the extension and exfiltrate them to a distant server controlled by the group,” said Koi Security in his writing.
“During initialization, they also transmit the external IP address of the victim, probably for monitoring or targeting purposes.”
The malicious code was partially generated with the help of the AI, the experts said, nicknning the “Greedybear” campaign and demanding it already more than a million dollars.
The expression “Bear” could be a reference to Russia, because the operation is apparently supplemented by dozens of pirated software websites distributing 500 variants of malware, as well as by false trezor, Jupiter Wallet and other cryptographic websites. All are written in Russian.
The malicious software distributed via the website is generic, added the researchers, with LummaStealer standing as a more notable name.
All sites are linked to the same IP address, which means that only one entity performs the entire operation.
Koi Security reported its results in Mozilla, which quickly removed all the malicious modules from its repository. However, users who have downloaded them in the meantime will remain in danger until they delete the additional modules from their browsers and update all the connection identification information.
Via Bleeping Compompute
