"FoxyWallet": More than 40 malicious Firefox add-ons discovered

A large-scale malware campaign relies on fake Firefox extensions. The perpetrators are trying to steal access data from crypto wallets and empty them. IT security researchers have detected more than 40 such malicious add-ons.

Koi Security writes this in an analysis. According to the analysis, the fake add-ons imitate legitimate crypto wallets and tools from more widespread platforms. The IT researchers name Bitget, Coinbase, Ethereum Wallet, Exodus, Filfox, Keplr, Leap, MetaMask, MyMonero, OKX, Phantom and Trust Wallet as imitated brands. Once users have installed the malicious extensions, it silently leaks the wallet secrets, putting the contents of user wallets at risk.

Malware campaign still active

The IT researchers have discovered more than 40 such malware extensions so far. The campaign is still ongoing and some of the malicious add-ons are even still available in the Firefox Marketplace. According to Koi Security, the campaign began in April of this year at the latest. The perpetrators were still uploading new malicious add-ons to the Firefox add-on store until last week. As such uploads continue to take place, this indicates that the operation is still active, persistent and evolving, the IT researchers explain.

The extensions extract the access data of the wallets directly from their target websites and send them to a server in the network that is under the control of the attackers. The add-ons also transmit the victim's external IP, presumably for tracking purposes.

The campaign relies on the usual marketplace mechanisms to gain trust. The ratings, reviews, branding and functions are intended to inspire user confidence and drive up the number of installations. Some of the malicious add-ons have received hundreds of fake reviews with a 5-star rating, which far exceeds the number of users. This gives the impression that an add-on is widely used and positively rated. In addition, the criminal masterminds use the official branding of legitimate wallet tools and use identical logos and names. With some add-ons, the perpetrators have also abused their open source nature and simply added code to steal access data. These seem to work as intended and only have the unnoticed secondary function of stealing the access data. This makes it much more difficult to detect the malicious intentions.

As the code contains some Russian comments, Koi Security assumes that the actors are from Russia. Metadata in a PDF file originating from a command-and-control server also points there.

Protection is more difficult

Protective measures are difficult: extensions should only be installed by verified publishers – but even with many good ratings, there is no guarantee that the extensions are genuine. Organizations should assess the threat potential of browser extensions in the same way as standard software packages, monitor them and apply standard policies. Organizations can also use a list of permitted extensions so that only verified extensions are used.

At the end, the analysis lists the names of the malicious add-ons detected so far as well as some domains linked to command-and-control servers, for example. Users should check the installed add-ons for matches and ensure that the add-ons have been installed by the genuine provider.

Browser extensions are often the target of cybercriminals. At the beginning of the year, for example, numerous developers of extensions for Google Chrome were apparently victims of phishing attacks. The attackers misused the access gained to upload maliciously manipulated versions of the add-ons to the Chrome Web Store and thus foist them on victims.

(dmk)