"The attack chain begins when the logo file is fetched when one of the above-mentioned extensions is loaded. The malicious code parses the file to look for a marker containing the "===" sign in order to extract JavaScript code, a loader that reaches out to an external server ("www.liveupdt[.]com" or "www.dealctr[.]com") to retrieve the main payload, waiting 48 hours in between every attempt."
"The full list of the browser add-ons is below - Free VPN Screenshot Weather (weather-best-forecast) Mouse Gesture (crxMouse) Cache - Fast site loader Free MP3 Downloader Google Translate (google-translate-right-clicks) Traductor de Google Global VPN - Free Forever Dark Reader Dark Mode Translator - Google Bing Baidu DeepL Weather (i-like-weather) Google Translate (google-translate-pro-extension) 谷歌翻译 libretv-watch-free-videos Ad Stop - Best Ad Blocker Google Translate (right-click-google-translate)"
A campaign named GhostPoster leveraged logo files in 17 Firefox add-ons to embed malicious JavaScript that hijacks affiliate links, injects tracking code, and performs click and ad fraud. The extensions were downloaded over 50,000 times and have been removed from distribution. The add-ons were marketed as VPNs, screenshot tools, ad blockers, and unofficial Google Translate extensions. The malware uses a marker "===" in logo files to extract a loader that contacts external servers to fetch the payload, delays requests by 48 hours, and only fetches the payload 10% of the time to evade detection. The payload monitors browsing, disables browser security features, and enables remote code execution.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]