Cybersecurity researchers have recently uncovered a new campaign, dubbed GreedyBear, that has successfully stolen over $1 million in digital assets. This sophisticated operation leveraged over 150 malicious extensions in the Firefox browser marketplace, which were designed to impersonate popular cryptocurrency wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet. The campaign is notable for its innovative use of a technique called Extension Hollowing to bypass Mozilla’s security safeguards and exploit user trust. This method highlights a new level of cunning from cybercriminals who are adapting their tactics to evade detection.
The Deceptive “Extension Hollowing” Technique
The core of the GreedyBear campaign is the deceptive technique known as Extension Hollowing. Instead of trying to push malicious extensions past initial reviews, the attackers first build a portfolio of seemingly legitimate, but non-functional, extensions. They do this by creating a publisher account and uploading innocuous add-ons to sidestep initial scrutiny. To enhance their credibility, they post fake positive reviews, creating an illusion of trustworthiness. Once the extensions are established and have flown under the radar, the attackers modify their code, introducing malicious capabilities that allow them to steal credentials and other sensitive information. This phased approach allows the threat actors to weaponize their extensions when they are least expected to be a threat.
How the Malicious Extensions Steal Funds
Once weaponized, the fake extensions are designed with a single goal in mind: to steal digital assets. They work by capturing the wallet credentials that unsuspecting users enter, then exfiltrating this sensitive information to a server controlled by the attackers. Beyond just credentials, the extensions also collect victims’ IP addresses, likely for tracking purposes. This campaign is an evolution of a previous operation known as Foxy Wallet, which involved a similar strategy but on a smaller scale, with only 40 malicious extensions. The recent surge in the number of extensions associated with GreedyBear indicates a significant expansion of the operation and its potential to affect a wider range of users.
The GreedyBear campaign is not limited to just malicious browser extensions. The threat actors behind it also distribute malicious executables through various Russian websites that offer cracked and pirated software. These downloads lead to the deployment of information stealers and even ransomware on victims’ computers. Furthermore, the criminals operate scam sites that pose as legitimate cryptocurrency products and services, such as wallet repair tools. These sites are designed to trick users into providing their wallet credentials or payment details, leading to both credential theft and financial fraud. The discovery of a single IP address—185.208.156[.]66—acting as a command-and-control server for all three attack verticals strongly links them to the same threat actor.
Evidence suggests that the GreedyBear campaign’s tactics are now branching out to target other browser marketplaces, with the discovery of a malicious Google Chrome extension using the same command-and-control server. Adding to the complexity and danger, an analysis of the artifacts has found signs that some of the malicious code may have been generated using AI-powered tools. This discovery highlights the increasing misuse of AI by cybercriminals to develop and scale their attacks more quickly and effectively. The variety of tools and tactics employed by the GreedyBear group indicates they are operating a broad malware distribution pipeline, capable of shifting their strategies as needed to evade detection and maximize their illicit gains.
Reference:
