top of page
Dc Cybertech logo
Search

Understanding the Firefox Add-ons Malware Campaign

Updated: Feb 3

Malware in the Metadata


Security firm Koi Security recently identified 17 malicious Firefox extensions that appeared, on the surface, to be helpful tools. These add-ons offered popular functionalities such as "Free VPNs," ad blockers, dark mode toggles, and translation services. While the visible JavaScript code of these extensions seemed benign, the threat was concealed within their PNG icon files.


Standard security protocols typically scan an extension’s functional code but overlook image assets. The attackers exploited this by appending malicious JavaScript to the end of the icon's raw data, separated by a specific marker (===). To the user and the browser, the icon rendered perfectly; however, a hidden extraction routine within the extension was programmed to find that marker and execute the hidden payload.


The Infection Chain and Monetisation


The campaign, which includes extensions like "Free VPN Forever" (with over 16,000 installs), uses a multi-stage approach to remain undetected:


  • Delayed Execution: The malware waits 48 hours before communicating with its command-and-control (C2) server.

  • Probabilistic Targeting: It only activates on roughly 10% of infected devices to avoid drawing attention from security researchers.

  • Encrypted Payloads: Attackers use custom ciphers and Base64 encoding to mask the instructions sent to the browser.


Once active, the malware's primary goal is financial gain through affiliate fraud. It intercepts traffic to major e-commerce platforms like Taobao and JD.com, hijacking affiliate links so that purchase commissions are redirected to the hackers. Furthermore, the malware strips away browser security headers, injects hidden iframes for ad fraud, and creates a backdoor for potential Remote Code Execution (RCE).


Validating the Threat: Steganography on the Rise


This discovery aligns with a broader trend in the cybersecurity landscape where "living off the land" (using legitimate files for illegitimate purposes) is becoming a preferred tactic for threat actors.


  1. Bitdefender Research: Similar techniques have been documented by Bitdefender, which previously identified "MosaicLoader"—a malware strain that used steganography to hide malicious code within image files to deliver various payloads, including miners and info-stealers.


  2. Mozilla’s Response Policy: Historically, Mozilla has struggled with "Bad Add-ons." According to The Register, Mozilla has previously removed hundreds of extensions for violating data collection policies, but the use of image-based steganography represents a more technical challenge for their automated validation pipeline.


  3. Check Point Research: Security analysts at Check Point have noted that the "Free VPN" lure is one of the most common vectors for browser-based malware, as users are often willing to grant extensive permissions to these tools in exchange for bypassing regional content blocks.


Affected Extensions


Users are urged to check their browser settings and immediately remove the following extensions if found:





free-vpn-forever

weather-best-forecast

ad-stop

screenshot-saved-easy

crxmouse-gesture

world-wide-vpn

cache-fast-site-loader

freemp3downloader

dark-reader-for-ff

google-translate-pro

i-like-weather

libretv-watch-free-videos


Conclusion


This incident serves as a stark reminder that "free" digital tools often come with a hidden price. When an extension requests broad permissions to "access your data for all websites," it should be treated with extreme caution, regardless of how many positive reviews it may appear to have.


The Importance of Cybersecurity Awareness


As we navigate the digital landscape, it's crucial to remain vigilant. Cyber threats are evolving, and so must our awareness. Understanding the tactics used by attackers can help us protect ourselves and our businesses.


Recognising the Signs of Malware


How can you tell if an extension is safe? Look for signs of legitimacy. Check the developer's website, read user reviews, and be cautious of extensions that request excessive permissions.


Best Practices for Online Safety


To enhance your online safety, consider these best practices:


  • Regularly Update Your Software: Keeping your browser and extensions updated can help protect against vulnerabilities.

  • Use Trusted Sources: Download extensions only from official stores or trusted developers.

  • Employ Security Tools: Consider using antivirus software and browser security extensions to add an extra layer of protection.


Conclusion Revisited


In conclusion, the rise of sophisticated malware campaigns highlights the need for ongoing vigilance. By staying informed and adopting best practices, we can navigate the digital world more safely. Remember, your online safety is in your hands.

 
 
 

Comments

bottom of page