GhostPoster Malware Campaign: 17 Malicious Browser Extensions Compromise Over 840,000 Users
A sophisticated cyberattack campaign, dubbed GhostPoster, has been uncovered, involving 17 malicious browser extensions across Chrome, Firefox, and Edge platforms. These extensions have been downloaded over 840,000 times, compromising user security for years.
Deceptive Extensions and Stealthy Operations
The GhostPoster campaign, active since at least 2020, utilized deceptive extension names such as Google Translate in Right Click, Youtube Download, and Ads Block Ultimate to appear legitimate. These extensions successfully bypassed security reviews from major browser stores, remaining active for up to five years before detection. This highlights the challenge users face in distinguishing trustworthy extensions from malicious ones.
Exploiting User Trust and Advanced Techniques
The attack exploits a fundamental weakness in browser security: users’ trust in extensions available in official stores. The malicious extensions employed steganography, hiding malicious code within PNG image files, a technique that conceals data in plain sight. Once installed, the extensions extract the hidden payload and establish communication with attacker-controlled servers to download additional malicious scripts.
Malicious Activities and Data Theft
The malware performs several harmful actions, including:
– Hijacking affiliate links for financial gain.
– Injecting scripts to track user behavior.
– Manipulating HTTP headers to disable security protections.
– Stealing credentials and personal data.
The sophistication of these tactics indicates a well-planned operation targeting financial gain and sustained access to user devices.
Discovery and Investigation
LayerX Security analysts identified the full scope of the campaign after Koi Security initially discovered one malicious Firefox extension. Their investigation uncovered the interconnected infrastructure linking all 17 extensions, revealing a coordinated effort rather than isolated incidents.
Techniques Used and Evasion Strategies
The research exposed how the threat actor systematically expanded from Microsoft Edge to Firefox and then to Chrome, adapting their techniques to fit each platform’s security requirements. The malware’s sophisticated infection mechanism relies on delayed execution to evade detection.
When installed, the extension waits 48 hours or longer before activating, allowing it to slip past security scanning during initial review. More advanced variants wait up to five days before connecting to remote servers, creating a window where the malware operates while detection tools remain inactive.
The malicious code remains embedded inside the extension’s background script and uses encrypted payloads that are decoded only at runtime, making static analysis nearly impossible and ensuring the threat remains hidden until fully activated on victim machines.
Implications and User Guidance
The GhostPoster campaign underscores the importance of vigilance when installing browser extensions. Users are advised to:
– Regularly review and audit installed extensions.
– Install extensions only from reputable developers.
– Stay informed about emerging security threats.
By adopting these practices, users can better protect themselves against similar sophisticated cyber threats.
