Ghostposter Attacks Hide Malicious Javascript In Firefox Addon Logos

A new campaign dubbed 'GhostPoster' is hiding JavaScript code in the image logo of malicious Firefox extensions with more than 50,000 downloads, to monitor browser activity and plant a backdoor.

The malicious code grants operators persistent high-privilege access to the browser, enabling them to hijack affiliate links, inject tracking code, and commit click and ad fraud.

The hidden script is acting as a loader that fetches the main payload from a remote server. To make the process more difficult to detect, the payload is intentionally retrieved only once in ten attempts.

Koi Security researchers discovered the GhostPoster campaign and identified 17 compromised Firefox extensions that either read the PNG logo to extract and execute the malware loader or download the main payload from the attacker's server.

It should be noted that the malicious extensions are from popular categories:

The researchers say that not all the extensions above use the same payload loading chain, but all of them exhibit the same behavior and communicate with the same infrastructure.

The FreeVPN Forever extension was the one Koi Security analyzed initially after its AI tool flagged it for parsing the raw bytes of its logo image file to locate a JavaScript snippet hidden using the steganography technique.

The JavaScript loader activates 48 hours later to fetch a payload from a hardcoded domain. A second backup domain is available if the payload is not retrieved from the first one.

According to Koi Security, the loader is mostly dormant and gets the payload only 10% of the time, making it likely to evade detection from traffic monitoring tools.

The downloaded payload is heavily obfuscated via case swapping and base64 encoding. A cipher decodes it and then XOR-encrypts it using a key derived from the extension’s runtime ID.

Source: BleepingComputer