GhostPoster Malware Infects 840,000 Browser Extensions
▼ Summary
– A new set of 17 malicious browser extensions linked to the GhostPoster campaign has been found, amassing 840,000 total installations across Chrome, Firefox, and Edge stores.
– These extensions hide malicious code that tracks browsing, hijacks affiliate links, and injects iframes for ad fraud.
– The campaign is ongoing and sophisticated, with one variant now using a bundled image file to conceal its payload for greater stealth.
– Some of these extensions have been present in add-on stores since 2020, indicating a long-running, successful operation.
– While the extensions have been removed from the Firefox and Edge stores, users who previously installed them may still be at risk.
A significant cybersecurity threat has been identified, with a malware campaign known as GhostPoster compromising over 840,000 browser extensions across major platforms. Security researchers have uncovered a new set of 17 malicious add-ons in the Chrome, Firefox, and Edge stores, designed to steal data and commit fraud. This campaign highlights the persistent danger of seemingly legitimate browser extensions being used as vehicles for sophisticated attacks.
The GhostPoster operation was first exposed by Koi Security in December. The malicious extensions were found to conceal harmful JavaScript code within their logo image files. This code acts as a backdoor, monitoring user activity and fetching a heavily obfuscated payload from an external server. Once activated, this payload tracks browsing behavior, hijacks affiliate links on popular e-commerce sites, and injects invisible iframes to carry out ad fraud and click fraud.
A recent investigation by the browser security firm LayerX confirms the campaign remains active. The list of identified extensions, along with their installation counts, includes several with very high user numbers. For instance, ‘Google Translate in Right Click’ had over 522,000 installs, while ‘Translate Selected Text with Google’ accumulated nearly 160,000. Other compromised tools range from ad blockers and downloaders to screenshot utilities and price trackers.
Analysts note the campaign appears to have started on the Microsoft Edge platform before spreading to Firefox and Chrome. Some of these malicious extensions have been available in official add-on stores since 2020, indicating a long-running and successful infiltration. While the core evasion techniques match earlier findings, LayerX discovered a more advanced variant within the ‘Instagram Downloader’ extension.
This newer version shows a clear evolution in tactics. Instead of relying on the icon alone, the malicious staging logic is embedded directly into the extension’s background script. It uses a bundled image file as a covert container for the payload. During runtime, the script scans the image’s raw data for a specific delimiter, extracts hidden information, stores it locally, and eventually decodes and executes it as JavaScript.
Researchers state this staged approach demonstrates a move toward longer dormancy periods and greater modularity. It is specifically crafted to resist both static analysis and behavioral detection systems, making the malware more resilient and harder to identify. According to LayerX, the newly identified extensions have been removed from the Mozilla and Microsoft add-on stores. However, users who previously installed them may still be at risk if the extensions remain active in their browsers.
Inquiries regarding the extensions’ presence in the Chrome Web Store confirmed that Google has also taken action, with a spokesperson verifying the removal of all identified add-ons. This incident serves as a critical reminder for users to regularly audit their installed browser extensions, removing any that are unnecessary or from unfamiliar developers.
(Source: Bleeping Computer)
