BleepingComputer reports that malicious JavaScript code has been covertly embedded in the icons of 17 Firefox extensions to facilitate browser activity tracking and backdoor deployment as part of the new GhostPoster campaign.All of the illicit Firefox add-ons, which have already been removed by Mozilla after being installed over 50,000 times, enabled malware deployment either by reading the PNG logo or downloading it from the attacker's server, according to an analysis from Koi Security. Researchers found that the FreeVPN Forever extension parsed its logo image file's raw bytes to find a concealed JavaScript loader, which was activated two days later to retrieve a payload from a hardcoded domain.Aside from taking over major e-commerce sites' affiliate links and compromising user-visited webpages with Google Analytics tracking, the nefarious payload also removes security headers from HTTP responses, leverages various techniques to evade CAPTCHA, and injects self-removing iframes for ad fraud, click fraud, and tracking. While no password exfiltration or direct phishing page redirects have been conducted as part of the campaign, attackers could potentially launch a more dangerous payload, researchers added.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds




