- Flajera experts 150 Firefox accessories that served as an infent of infants and keyloggers
- Addments added to the store are benign, but when they earn a reputation, they transform into malware
- Crooks steal cryptography and track the IP addresses of their victims
Cryptocurrency users who execute the Firefox browser must be careful: an important campaign has been detected with the aim of stealing their tokens from their wallets.
Recently, Koi Security security researchers identified 150 accessories in the Mozilla store that served as infants infants.
These supplements began as benign tools, which is passed through popular cryptographic wallets such as Metamk, Tronlink or Rabby, but after accumulating enough downloads and positive reviews, the attackers replace them with new names and logos and inject malicious code that steals credentials of user wallets and IP addresses.
Tight
“The armed extensions capture wallet credentials directly from the user’s entry fields within the emerging interface of the extension and exfiltrate a remote server controlled by the group,” said Koi Security in his article.
“During initialization, they also transmit the victim’s external IP address, probably for monitoring or focus purposes.”
The malicious code was partially generated with the help of AI, experts said, calling the “Greedybear” campaign and stating that it already raised more than one million dollars.
The “bear” in the name could be a reference to Russia, since the operation is apparently complemented by dozens of pirated software websites that distribute 500 malware variants, as well as false Trezor, Jupiter and other crypto websites. All of them are written in Russian.
The malware distributed through the website is generic, the researchers added, with Lummsealer highlighting as a more notable name.
All sites are linked to the same IP address, which means that a single entity is executing the entire operation.
Koi Security reported his findings to Mozilla, who quickly eliminated all the malicious accessories of his repository. However, users who downloaded them meanwhile will remain at risk until they eliminate the accessories of their browsers and refresh all the login credentials.
Through Bleepingcomputer
