GreedyBear Campaign Uncovers Malicious Firefox Extensions
A recently unveiled initiative known as GreedyBear has exploited over 150 harmful extensions within the Firefox marketplace, designed to impersonate well-known cryptocurrency wallets and has reportedly pilfered more than $1 million in digital assets. According to Koi Security researcher Tuval Admoni, these deceptive add-ons masquerade as popular wallets including MetaMask, TronLink, Exodus, and Rabby Wallet. What distinguishes this operation is the employment of a technique termed Extension Hollowing, which enables the threat actors to circumvent the security measures implemented by Mozilla and manipulate user trust.
Innovative Tactics for Malicious Purposes
Notably, some elements of this campaign were initially identified by cybersecurity researcher Lukasz Olejnik the previous week. Admoni elaborated that instead of attempting to sneak harmful extensions through initial reviews, the attackers first establish seemingly legitimate extension portfolios, which they later exploit when scrutiny diminishes. The attackers initiate their strategy by creating a publisher account in the marketplace, uploading harmless extensions that lack genuine functionality to evade early inspections, fabricating positive reviews to enhance their credibility, and subsequently altering the extensions to include malicious capabilities.
Mechanism of Attack and Data Theft
The counterfeit extensions are specifically designed to capture wallet credentials entered by unsuspecting users, transmitting this sensitive information to servers controlled by the attackers. Additionally, they collect the victims’ IP addresses, likely for tracking purposes. This latest surge in the number of malicious extensions appears to be an extension of a prior operation named Foxy Wallet, which previously saw the release of at least 40 harmful browser extensions for Mozilla Firefox with similar objectives. The recent increase in extensions suggests a significant escalation of this operation.
Multi-Faceted Attack Strategies
The fraudulent wallet attacks are complemented by campaigns that distribute malicious executables through various Russian websites that offer cracked and pirated software, leading to the installation of information-stealing malware and even ransomware. The GreedyBear actors are also adept at creating scam websites that impersonate cryptocurrency services, such as wallet repair tools, potentially deceiving users into divulging their wallet credentials or payment information, resulting in identity theft and financial fraud.
Linking the Attacks to a Single Threat Actor
Koi Security has established a connection between these three attack vectors, linking them to a single threat actor by noting that the domains utilized in these operations all direct to a solitary IP address: 185.208.156[.]66, which functions as a command-and-control (C2) server for managing data collection. Evidence suggests that the extension-related attacks may be expanding to target additional browser marketplaces, as indicated by the discovery of a Google Chrome extension named Filecoin Wallet utilizing the same C2 server and underlying logic for credential theft.
AI-Powered Tools in Cybercrime
Compounding the situation, an examination of the artifacts has revealed indications that they may have been generated using artificial intelligence (AI)-based tools. This highlights a concerning trend where cybercriminals are increasingly leveraging AI technologies to conduct large-scale attacks efficiently. Admoni commented that the variety in tactics indicates that the group is not limited to a single toolset but is operating a comprehensive malware distribution pipeline, capable of adapting its strategies as necessary. “The campaign has significantly evolved, and the distinguishing factors now are its scale and scope, transforming into a multi-platform credential and asset theft initiative, supported by a vast array of malware samples and scam infrastructure.”
Ethereum Drainers Disguised as Trading Bots
In a related development, SentinelOne has raised alarms about a widespread and ongoing cryptocurrency scam involving the distribution of a malicious smart contract disguised as a trading bot, aimed at draining user wallets. This fraudulent Ethereum drainer operation, which has been active since early 2024, is believed to have already generated over $900,000 in illicit profits for the perpetrators. Researcher Alex Delamotte noted that these scams are promoted through YouTube videos that claim to explain the workings of the crypto trading bot and instructions on deploying a smart contract via the Remix Solidity Compiler, a web-based platform for Web3 projects.
Exploiting Credibility through AI and Aged Accounts
The videos allegedly utilize AI-generated content and are uploaded from established accounts that aggregate cryptocurrency news as playlists to build a facade of legitimacy. The comment sections of these videos are filled with overwhelmingly positive feedback, indicating that the scammers are actively managing comments to eliminate any negative responses. One of the YouTube accounts driving the scam was created in October 2022, suggesting that the fraudsters either gradually enhanced the account’s credibility over time or may have acquired it from services that sell aged YouTube channels through platforms like Telegram and dedicated websites.
The Mechanics of the Scam
The scam escalates when victims are instructed to deploy the smart contract. They are subsequently directed to send ETH to this newly created contract, which reroutes the funds to a concealed wallet controlled by the attackers. Delamotte emphasized that the combination of AI-generated content and the availability of aged YouTube accounts for purchase allows even modestly-resourced actors to acquire established accounts that the YouTube algorithm favors, enabling them to weaponize these accounts to disseminate tailored content under a false pretext of legitimacy.
