A sophisticated malware campaign, dubbed GhostPoster, has been discovered lurking within 17 popular Mozilla Firefox add-ons, potentially impacting over 50,000 users. These malicious extensions, disguised as VPNs, screenshot tools, ad blockers, and translation services, were found to embed malicious JavaScript code within their own PNG logo files, a technique known as steganography.

Key Takeaways

• Widespread Infection: At least 17 Firefox add-ons, collectively downloaded over 50,000 times, were compromised.

• Stealthy Delivery: Malware was hidden within PNG logo files, bypassing traditional security scans.

• Malicious Functionality: The malware hijacks affiliate links, injects tracking code, strips security protections, and commits ad fraud.

• Evasion Tactics: Employed multi-stage payloads, random delays, and time-based triggers to avoid detection.

• Add-ons Removed: All affected extensions have since been removed from the Firefox add-on store.

The GhostPoster Attack Vector

The GhostPoster campaign utilizes a clever steganography technique, embedding malicious JavaScript code directly into the binary data of PNG image files used as extension logos. When a compromised add-on loads its logo, the extension's code searches for a specific marker ("===") within the file. Upon detection, it extracts a JavaScript loader that communicates with command-and-control servers to download the main payload.

This method allows the malware to evade standard security scanners and marketplace reviews that typically treat image files as benign assets. The extensions were advertised with various functionalities, including VPN services, screenshot utilities, ad blockers, and unofficial Google Translate versions. The oldest identified add-on was published in October 2024.

Malicious Capabilities and Evasion Techniques

Once activated, the GhostPoster malware is capable of a range of malicious activities designed to monetize user activity without their knowledge. These include:

• Affiliate Link Hijacking: Intercepting and redirecting affiliate links to steal commissions.

• Tracking Injection: Inserting Google Analytics tracking code to profile users.

• Security Header Stripping: Removing critical security headers like Content-Security-Policy, exposing users to clickjacking and cross-site scripting (XSS) attacks.

• Hidden Iframe Injection: Injecting invisible iframes to load malicious URLs, enabling ad and click fraud.

• CAPTCHA Bypass: Employing methods to bypass bot detection, allowing its malicious operations to continue.

To further evade detection, the malware incorporates several sophisticated evasion techniques. The loader is configured to fetch the main payload only a fraction of the time, introducing randomness to make network traffic analysis difficult. Additionally, the malware often remains dormant for days after installation, utilizing time-based delays to prevent immediate detection during the initial setup phase. The payload itself is custom-encoded and decrypted in memory, leaving no static file footprint for forensic analysis.

A Pattern of Compromised Extensions

Koi Security, the firm that discovered the campaign, noted that while different extensions employed slightly varied steganographic methods, they all communicated with the same command-and-control infrastructure. This suggests a single threat actor or group experimenting with various lures and techniques. This incident follows a trend of malicious browser extensions, including recent cases where VPN extensions were found harvesting AI conversations and collecting user data like screenshots and locations.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads, The Hacker News.

• New GhostPoster Attack Leverages PNG Icon to Infect 50,000 Firefox Users, CybersecurityNews.