Beware of harmful Firefox extensions: these deceitful tools are swindling millions, so remain vigilant
================================================================================
The GreedyBear campaign, named by security researchers from Koi Security, is a large-scale, sophisticated malware operation that infiltrated the Mozilla Firefox add-ons store with over 150 malicious browser extensions impersonating popular cryptocurrency wallets like MetaMask, TronLink, Exodus, and Rabby Wallet. These extensions initially appeared harmless, accumulating fake positive reviews to build trust before being weaponized by injecting malicious code to steal users' wallet credentials and IP addresses.
How the GreedyBear Campaign Works
In the initial phase, attackers uploaded benign-seeming extensions with simple functionalities to pass Mozilla's review process and gather positive fake reviews. In the weaponization phase, the attackers later replaced original branding with fake wallet names and injected malicious code, turning the extensions into keyloggers that capture wallet credentials entered within popup interfaces. Stolen credentials and the victim's external IP address are then sent to attacker-controlled servers for tracking and further exploitation.
Besides these malicious Firefox extensions, the campaign also includes phishing websites mimicking wallet services like Trezor and Jupiter Wallet, and over 500 malware executables distributed through Russian-speaking pirated software sites, increasing attack reach and effectiveness.
Malware Variants and Techniques
The campaign uses Extension Hollowing, a technique where initially benign extensions are later altered with malicious payloads, bypassing Mozilla’s security checks and exploiting user trust based on previously positive reviews. Artificial intelligence tools appear to have been leveraged to scale and accelerate malware creation, improving evasion from detection systems. The malware not only steals wallet credentials but functions as a keylogger, collecting any typed input in form fields, increasing data capture scope.
Precautions for Cryptocurrency Users
To protect themselves, cryptocurrency users should be cautious when installing browser extensions, especially crypto wallet extensions. They should not rely solely on star ratings since fake positive reviews are common. Instead, they should verify the developer’s reputation, look at version history, search for suspicious activity tied to the publisher, and check user comments for potential red flags.
Monitoring for any unexpected requests for access or unusual popups from extensions is also important. Users should consider using hardware wallets or verified software wallets that do not rely solely on browser extensions for critical security. Keeping browsers and security software updated can also reduce exposure to newly discovered threats.
In summary, GreedyBear represents a growing trend of multi-vector attacks targeting cryptocurrency users through trusted browser ecosystems, combining fake extensions, phishing sites, and malware to steal funds. Vigilance and careful evaluation of extensions and wallet software remain essential defenses.
[1] Koi Security's Blog Post on GreedyBear [2] ZDNet Article on GreedyBear [3] Bleeping Computer Article on GreedyBear [4] TechRadar Article on GreedyBear [5] The Hacker News Article on GreedyBear
- To protect themselves from such threats, avid gamers should be mindful of cybersecurity risks while playing games, especially cryptocurrency integrated games, as the same tactics used in the GreedyBear campaign could potentially be employed.
- As technology continues to shape gaming landscapes, it is crucial for gamers to apply the same precautions as cryptocurrency users; verifying developers, keeping software updated, and monitoring for any unusual activity to maintain a secure gaming experience.
