GreedyBear is a newly uncovered campaign that has deployed over 150 malicious extensions on the Firefox marketplace, impersonating popular cryptocurrency wallets such as MetaMask and Exodus. These fake extensions employ a method called Extension Hollowing, allowing attackers to bypass Mozilla's safeguards and exploit user trust. Attackers first create authentic-seeming extensions and, after passing initial reviews, modify them to steal wallet credentials. The campaign, linked to a previous effort named Foxy Wallet, reflects increased activity in stealing digital assets, also tied to distributing malicious software through compromised sites.
"Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody's watching," Admoni said.
The fake extensions are designed to capture wallet credentials entered by unsuspecting users and exfiltrate them to an attacker-controlled server.
The campaign is assessed to be an extension of a previous iteration called Foxy Wallet that involved the threat actors publishing no less than 40 malicious browser extensions.
The latest spike in the number of extensions indicates the growing scale of the operation.
Collection
[
|
...
]