Stealthy 'GhostPoster' malware siphons data, ad-revenue through fake browser extensions
What's the story
A sophisticated malware campaign dubbed "GhostPoster" has been targeting users of Google Chrome, Mozilla Firefox, and Microsoft Edge. The operation involved at least 17 malicious browser extensions that were downloaded over 840,000 times. This makes it one of the most persistent and technically advanced extension-based threats to date. The infected extensions masqueraded as regular tools like screenshot grabbers and ad blockers but hid malware within PNG image files (the extension's icon) using a technique called steganography.
Stealth tactics
Operation and impact
The GhostPoster malware didn't start its malicious activities immediately after installation. It waited for at least 48 hours, sometimes even up to five days, before contacting remote servers and downloading more malicious code. This delay was a tactic to avoid detection by systems monitoring suspicious activity right after installation. The attackers could also change the malware's behavior without updating the extension itself, making it harder for security teams to completely shut down their operation.
Malware functions
Capabilities and origins
The GhostPoster malware could bypass website security measures, redirect affiliate links to steal commissions, inject scripts for click fraud, and track users across browsing sessions. It even had the capability to bypass CAPTCHA systems designed to prevent automated abuse. The campaign is believed to have started on Edge as early as 2020 before spreading to Firefox and Chrome. This means it went undetected across major browser stores for almost five years, raising serious concerns about extension review processes.
Response measures
Action taken against GhostPoster malware
While Mozilla and Microsoft have removed confirmed malicious extensions from their stores, users who already had the extension installed will have to remove it manually. This highlights the need for users to regularly check their browser extensions and uninstall any that they don't recognize or no longer use. The GhostPoster case serves as a reminder that even seemingly harmless tools in your browser can pose a major security risk if not monitored properly.