Full Report
More than 40 fake extensions in Firefox's official add-ons store are impersonating popular cryptocurrency wallets from trusted providers to steal wallet credentials and sensitive data. [...]
Analysis Summary
# Tool/Technique: Fake Cryptocurrency Wallet Browser Extensions (Firefox Store)
## Overview
Dozens of malicious browser add-ons, masquerading as legitimate cryptocurrency wallet extensions, were found flooding the Mozilla Firefox add-on store with the intent to steal users' cryptocurrency seed phrases. These fake extensions utilized brand logos, numerous fake five-star reviews, and were actively updated to evade detection.
## Technical Details
- Type: Malware/Technique (Supply Chain Compromise via Add-on Store)
- Platform: Mozilla Firefox
- Capabilities: Impersonation, user trust abuse, credential/seed phrase harvesting.
- First Seen: Ongoing activity reported prior to the article date.
## MITRE ATT&CK Mapping
This activity primarily maps to initial access and impact via platform deception.
- T1583 - Acquire Infrastructure
- T1583.006 - Compromise Software Supply Chain (Leveraging the official store as the supply chain mechanism)
- T1566 - Phishing
- T1566.003 - Spearphishing Link (Users are tricked into clicking and installing the malicious extension)
- T1665 - Data from Information Repositories (Implied by stealing the seed phrase, which is sensitive data)
## Functionality
### Core Capabilities
- **Impersonation:** Using real logos of legitimate crypto wallet brands (e.g., Metamask).
- **Review Manipulation:** Employing hundreds of fake five-star reviews to build false credibility.
- **Distribution:** Uploading malicious packages directly to the official Firefox Add-ons store.
### Advanced Features
- **Evasion:** Continuously updating malicious entries, some as recent as the previous week, indicating active maintenance despite reviews reporting scams.
- **Trust Exploitation:** Relying on the perceived security of the official browser extension store.
## Indicators of Compromise
*Since the article focuses on a campaign involving dozens of unnamed extensions, specific IOCs are not provided. The following are generalized categories based on the threat.*
- File Hashes: [Not specified in the article]
- File Names: [Varied names impersonating known wallet extensions]
- Registry Keys: [Not applicable to browser extensions primarily]
- Network Indicators: [C2 communication likely occurred post-installation to exfiltrate seed phrases]
- Behavioral Indicators: Installation of an extension that requests overly broad permissions or attempts to interact with input fields related to wallet seed phrases or private keys.
## Associated Threat Actors
- The threat actor is described as a threat actor or group running an organized campaign, possibly financially motivated.
- **Malicious publishers who submitted the add-ons.**
## Detection Methods
- **Signature-based detection:** Unlikely for store submissions unless hashes or code patterns are known beforehand.
- **Behavioral detection:** Monitoring for extensions requesting access or attempting to scrape input data related to cryptocurrency wallets upon user entry.
- **Platform Review:** Mozilla maintains a detection system relying on automated indicators; high-risk submissions are flagged for human review.
## Mitigation Strategies
- **User Education:** Users must meticulously verify the developer identity and check reviews, looking for inconsistencies (e.g., review counts vastly exceeding installation numbers).
- **Platform Vetting:** Mozilla needs continuous improvement of automated systems to detect suspicious metadata (like review count inflation) and functionality before publication.
- **Principle of Least Privilege:** Users should only install extensions from known, trusted sources and minimize the permissions granted.
## Related Tools/Techniques
- Fake application/extension flooding campaigns targeting other software stores (e.g., Chrome Web Store).
- Credential harvesting techniques targeting software interfaces.