- Experts Flag 150 Firefox Accessories serving as Infostealers and Keyloggers
- Additions added to the store is benign but when they get a reputation they are transformed into malware
- Crooks steals the crypto and tracks their victims’ IP addresses
Cryptocurrency users running the Firefox browser must be careful -a larger campaign has been discovered for the purpose of stealing their tokens straight out of their wallets.
Recently, security researchers from Koi Security identified 150 additions in the Mozilla store that served as infosteals and keyloggers.
These additions started as benign tools and mimic popular crypto drawing books such as Metamask, Tronlink or Rabby, but after collecting enough downloads and positive reviews, the striker replaces them with new names and logos and injects malicious code that steals the user’s wallet and IP addresses.
Greedy
“The weapons extensions capture wallet information directly from user input fields within the extension’s own popup interface and exfilter them to an external server controlled by the group,” Koi Security said in his writing.
“During initialization, they also transfer the victim’s external IP address, probably for tracking or targeting.”
The malicious code was partially generated using AI, the experts said, dubbing the “Big” campaign, claiming it already rocked more than a million dollars.
The “bear” in the name may be a reference to Russia, as the operation is apparently complemented by dozens of pirated software sites distributing 500 malware variants, as well as fake Trezor, Jupiter Wallet and other crypto sites. All of them are written in Russian.
Malware distributed through the site is generic, the researchers added, with lummma teals that stood out as a more remarkable name.
All sites are linked to the same IP address, which means a single device runs the entire operation.
Koi Security reported his findings to Mozilla, who quickly removed all malicious additions from his depot. However, users who downloaded them in the meantime remain at risk until they delete the additions of their browsers and update all login credentials.
Via Bleeping computer
