Full Report
Mozilla has developed a new security feature for its add-on portal that helps block Firefox malicious extensions that drain cryptocurrency wallets. [...]
Analysis Summary
# Tool/Technique: Firefox Crypto Drainer Add-ons (General Category)
## Overview
This refers to malicious browser extensions for Mozilla Firefox designed explicitly to function as **crypto wallet drainers**. These add-ons are submitted to the official add-ons repository (AMO) disguised as legitimate tools, with the ultimate goal of stealing cryptocurrency or digital assets from a victim's wallets by compromising private keys and credentials stored or accessed via the browser.
## Technical Details
- Type: Malware (specifically, malicious Browser Extension/Add-on)
- Platform: Mozilla Firefox (browser extension environment)
- Capabilities: Stealing private keys and credentials related to cryptocurrency wallets; draining digital assets from compromised wallets.
- First Seen: Ongoing threat; Mozilla's discovery and removal efforts imply this threat vector has been active for multiple years.
## MITRE ATT&CK Mapping
*Note: Since this is a generalized threat category involving specific execution environments, mapping focuses on the delivery and credential access aspects.*
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (if the extension delivery acts as a primary initial compromise vector, though typically users proactively install them)
- **TA0006 - Credential Access**
- T1516 - Application Access Token (Potential, depending on how the extension interacts with session tokens)
- **TA0007 - Discovery**
- T1553 - Subvert Trust Process
- T1553.006 - Trusted Developer Certificates (If attempting to look legitimate)
## Functionality
### Core Capabilities
- Masquerading as legitimate cryptocurrency wallet extensions.
- Establishing persistence within the Firefox browser environment.
- Monitoring user activity related to known cryptocurrency wallet interfaces.
### Advanced Features
- Exfiltrating private keys and secret credentials stored or input into wallet interfaces.
- Directly interacting with wallet infrastructure via compromised session data to execute unauthorized transfer transactions, resulting in rapid asset loss for the victim.
## Indicators of Compromise
- File Hashes: Not specified in the context, as this refers to a category of dynamically discovered extensions.
- File Names: Varies; generally mimic names of trusted crypto wallet extensions.
- Registry Keys: Not applicable (Browser Extension specific).
- Network Indicators: Likely involves communication with attacker-controlled C2 infrastructure to relay stolen credentials or confirm successful transaction execution (specific indicators not provided).
- Behavioral Indicators: Unauthorized access to sensitive browser storage pertaining to digital wallets; attempts to execute JavaScript functions associated with asset transfer operations.
## Associated Threat Actors
- Unspecified cybercriminals focused on cryptocurrency theft (often referred to broadly as crypto drainer operators or sophisticated scammers).
## Detection Methods
- **Signature-based detection:** Mozilla reviews and blocks extensions based on known malicious signatures or signatures associated with credential theft code.
- **Behavioral detection:** Detection of add-ons attempting to read or modify sensitive cryptographic data or initiate outbound network connections unrelated to their stated function.
- **YARA rules:** Not specifically mentioned for extensions, but general web service monitoring could apply.
## Mitigation Strategies
- **Prevention:** Users should only install Firefox add-ons linked directly from the official website of the legitimate software provider (e.g., the official website of their cryptocurrency wallet service).
- **Hardening recommendations:** Regularly review installed browser extensions; only grant necessary permissions to add-ons. Mozilla continuously updates its AMO review process to detect and block these threats.
## Related Tools/Techniques
- Other cryptocurrency drainer malware delivered via different vectors (e.g., desktop malware, phishing campaigns).
- General browser extension abuse techniques.