Full Report
A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available.
Analysis Summary
# Tool/Technique: GhostPoster Campaign (Malicious JavaScript in Firefox Add-ons)
## Overview
The GhostPoster campaign involves malicious JavaScript code embedded within logo files of 17 compromised Mozilla Firefox browser add-ons. The primary objective is to commit various forms of ad fraud and financial manipulation by hijacking affiliate links, injecting tracking data, and performing unauthorized actions on user browsing sessions.
## Technical Details
- Type: Malware payload delivered via legitimate application modification (Browser Extension)
- Platform: Mozilla Firefox Browser (Targeting users of the compromised add-ons)
- Capabilities: Affiliate link hijacking, tracking injection, security policy stripping, hidden iframe injection, CAPTCHA bypass.
- First Seen: The oldest listed affected add-on was published on October 25, 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Indirectly, by loading malicious code upon extension activation)
- **TA0002 - Execution**
- T1059.002 - Command and Scripting Interpreter: JavaScript
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Custom encoding of the main payload)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by generating fraudulent clicks/affiliate revenue)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Retrieving the main payload from C2 servers)
## Functionality
### Core Capabilities
- **Payload Delivery via Steganography:** Malicious JavaScript is hidden within the add-ons' logo files (e.g., PNG files) and extracted using a specific marker ("===").
- **Multi-stage Infection:** The initial code fetches a loader, which attempts to retrieve the main payload from external servers.
- **Monetization via Link Hijacking:** Intercepts affiliate links (e.g., to Taobao, JD.com) to redirect commission earnings to the attacker.
- **Tracking Injection:** Inserts Google Analytics tracking code into all visited web pages to profile users.
### Advanced Features
- **Evasion and Dormancy:** The loader only attempts to fetch the main payload 10% of the time to evade network traffic monitoring.
- **Time-Delayed Activation:** The malware incorporates time-based delays, preventing activation for more than six days after installation.
- **Security Policy Stripping:** Removes HTTP security headers like `Content-Security-Policy` and `X-Frame-Options`, increasing vulnerability to XSS and clickjacking risks for the victim.
- **Bot Detection Evasion:** Utilizes CAPTCHA bypass methods to ensure fraudulent activities powered by hidden iframes are not blocked by bot defenses.
- **Backdoor Establishment:** Researchers state the payload establishes a backdoor for potential remote code execution.
## Indicators of Compromise
- **File Hashes:** Not provided in the text.
- **File Names:** Modification of logo files within 17 specific Firefox Add-ons (e.g., Free VPN, Screenshot, Dark Reader Dark Mode, various Google Translate utilities).
- **Registry Keys:** Not applicable (browser extension manipulation).
- **Network Indicators:**
- `www[.]liveupdt[.]com`
- `www[.]dealctr[.]com`
- **Behavioral Indicators:**
- Parsing image/logo files for the "===" marker.
- Delayed, probabilistic network connections to C2 infrastructure.
- Modification or stripping of HTTP response headers (CSP, X-Frame-Options).
- Injection of hidden iframes on visited websites.
## Associated Threat Actors
- A single, yet unnamed, threat actor or group is strongly indicated due to the unified C2 infrastructure and consistent behavior observed across all 17 add-ons.
## Detection Methods
- **Signature-based detection:** Signatures targeting the command-and-control domains mentioned above.
- **Behavioral detection:** Monitoring for JavaScript code extraction from non-script file types (steganography). Detection of behavior that strips security headers or injects hidden iframes.
- **YARA rules:** Could be developed to detect the specific marker string "===" nested within image file data structures, corresponding to the initial stage loader.
## Mitigation Strategies
- **Prevention:** Users should only install extensions from trusted sources and verify developer reputation. Consumers should remove the listed 17 add-on packages immediately (since they are reported as unavailable, this implies they were removed from the store).
- **Hardening recommendations:** Browser vendors should implement stricter scanning of meta-data and resource files (like logos) within extension packages for embedded executable content.
## Related Tools/Techniques
- Other malicious browser extensions that harvested data or injected ads (e.g., the formerly noted VPN extension harvesting AI conversations).
- Steganography techniques used to hide payloads within benign files.