According to a report published on Wednesday by Firefox Mozilla Firefox, according to a report published on Wednesday by Cyber security, over 40 false extensions for the popular Mozilla Firefox web browser have been associated with the ongoing campaign of malware Koi Security.
Immense -scale phishing operation apparently It implements impersonation extensions under wallet tools such as Coinbase, Metamask, Trust Wallet, Phantom, Exodus, OKX, Mymonero, Bitget and others. After installing, malignant extensions are designed to steal the user portfolio certificates.
“So far, we have been able to combine over 40 different extensions with this campaign, which is still going on and lives very much,” said the company.
Koi Security said that the campaign was energetic since at least April, and the last extensions were sent last week. Extensions reportedly separate the portfolio certificates directly from the target websites and send them to a remote server controlled by the attacker.
Related: Like a plain extension of the browser, it prevented the transfer of $ 80,000 to a malicious wallet
Malware uses trust through design
According to the report, the campaign uses ratings, reviews, branding and functionality to get users’ trust, seemingly justified. One of the applications had hundreds of bogus five -star reviews.
False extensions also contained identical names and logo with real services that they impersonated. In many cases, threat actors also used the code of the open source of official extensions, cloning their applications, but with an additional malicious code:
“This is a low, high approach, allowed the actor to maintain the expected impressions of the user while reducing the risk of immediate detection.”
Related: Microsoft warns against recent remote access to Trojans directed to cryptographic wallets
A suspicious actor of the Russian threat
Koi Security said that “attribution remains uncertain”, but suggested “many signals indicate a Russian -language threat actor.” These signals contain comments in Russian in the code and metadata found in a PDF file downloaded from the command server and malware control of this incident:
“Although they are not decisive, these artifacts suggest that the campaign may come from a Russian -speaking acting group.”
To reduce the risk, Koi Security called users to install browser extensions only from verified publishers. The company also recommended treating extensions as full software resources, using permits and monitoring of unexpected behaviors or updates.
Warehouse: North Korean cryptography hackers knock Chatgpt, Malaysia Road Money Siphoned: Asia Express
