AI-generated malware steals $1M in crypto via Firefox wallet extensions
What's the story
A sophisticated campaign targeting cryptocurrency users has been uncovered. Dubbed "GreedyBear," the operation has used over 150 malicious extensions in the Mozilla Firefox marketplace. These fake add-ons mimic popular cryptocurrency wallets and have stolen over $1 million in digital assets from unsuspecting victims. Security researchers have discovered a new tactic used by threat actors, called "Extension Hollow," to bypass security measures and exploit user trust.
Strategy
What is 'Extension Hollow' tactic?
The malicious browser extensions closely imitate popular cryptocurrency wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. Tuval Admoni from Koi Security revealed that these seemingly harmless extensions are anything but innocent. Instead of trying to sneak malware past initial reviews, the attackers first create portfolios of benign-looking add-ons. Once these have gained some trust and user adoption, their malicious capabilities are quietly activated. This tactic lets fake wallets operate undetected for a long time, maximizing their potential for widespread damage.
Data theft
Fake extensions steal sensitive data
The main purpose of these fake extensions is to steal sensitive wallet credentials entered by users. This data is then quietly sent to an attacker-controlled server. The extensions also collect victims' IP addresses, possibly for tracking and further malicious activities. This campaign is thought to be an expansion of a previous operation called "Foxy Wallet," which used some 40 similar malicious extensions for Firefox.
Wider threat
Tactics extend beyond browser marketplace
The tactics used by the GreedyBear actors go beyond the Firefox marketplace. Researchers have also found links to campaigns distributing malware via Russian sites known for cracked and pirated software. These campaigns use information stealers and ransomware, further threatening cryptocurrency users. The attackers have also created fake sites masquerading as legitimate cryptocurrency products and services, including wallet repair tools, to trick users into revealing their wallet credentials or payment information.
AI involvement
AI involvement in extension creation
Worryingly, analysis of the malicious extensions indicates that artificial intelligence (AI)-powered tools may have been involved in their creation. Notably, this campaign isn't restricted to Firefox. A Google Chrome extension called 'Filecoin Wallet' has been found using the same command-and-control server and similar tactics for stealing credentials. This cross-platform expansion marks a major evolution in the scope of this threat, turning it into a multi-platform credential and asset theft operation backed by a robust infrastructure of malware and scam operations.