A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud.
The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available.
These browser programs were advertised as VPNs, screenshot utilities, ad blockers, and unofficial versions of Google Translate. The oldest add-on, Dark Mode, was published on October 25, 2024, offering the ability to enable a dark theme for all websites. The full list of the browser add-ons is below –
- Free VPN
- Screenshot
- Weather (weather-best-forecast)
- Mouse Gesture (crxMouse)
- Cache – Fast site loader
- Free MP3 Downloader
- Google Translate (google-translate-right-clicks)
- Traductor de Google
- Global VPN – Free Forever
- Dark Reader Dark Mode
- Translator – Google Bing Baidu DeepL
- Weather (i-like-weather)
- Google Translate (google-translate-pro-extension)
- è°·æŒç¿»è¯‘
- libretv-watch-free-videos
- Ad Stop – Best Ad Blocker
- Google Translate (right-click-google-translate)
“What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution,” security researchers Lotan Sery and Noga Gouldman said.
The attack chain begins when the logo file is fetched when one of the above-mentioned extensions is loaded. The malicious code parses the file to look for a marker containing the “===” sign in order to extract JavaScript code, a loader that reaches out to an external server (“www.liveupdt[.]com” or “www.dealctr[.]com”) to retrieve the main payload, waiting 48 hours in between every attempt.
To further evade detection, the loader is configured to fetch the payload only 10% of the time. This randomness is a deliberate choice that’s introduced to sidestep efforts to monitor network traffic. The retrieved payload is a custom-encoded comprehensive toolkit capable of monetizing browser activities without the victims’ knowledge through four different ways –
- Affiliate link hijacking, which intercepts affiliate links to e-commerce sites like Taobao or JD.com, depriving legitimate affiliates of their commission
- Tracking injection, which inserts the Google Analytics tracking code into every web page visited by the victim, to silently profile them
- Security header stripping, which removes security headers like Content-Security-Policy and X-Frame-Options from HTTP responses, exposing users to clickjacking and cross-site scripting attacks
- Hidden iframe injection, which injects invisible iframes into pages to load URLs from attacker-controlled servers and enable ad and click fraud
- CAPTCHA bypass, which employs various methods to bypass CAPTCHA challenges and evade bot detection safeguards
“Why would…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
