Cybercriminals have successfully distributed **17 malicious Chrome extensions**, among others for Firefox and Edge, that have collectively garnered over 840,000 installs. These extensions, operating under deceptive names like “Google Translate in Right Click,” were part of the long-running GhostPoster campaign, active since at least 2020. Security researchers identified that these malicious browser add-ons managed to bypass initial security reviews in major browser stores, remaining undetected for up to five years and compromising user data.
The sheer volume of installations highlights the effectiveness of this sophisticated cyber threat and the challenges users face in discerning legitimate extensions from malicious ones. The GhostPoster campaign leveraged steganography to hide malicious code within seemingly innocuous PNG image files. This technique allowed the dangerous payloads to remain concealed in plain sight, evading detection by automated security scans during the extension submission process.
GhostPoster Campaign Exploits Trust and Bypasses Detection
The GhostPoster campaign demonstrates a calculated approach to exploiting user trust in official browser extension marketplaces. Once installed, the malicious extensions would initiate communication with attacker-controlled servers. From these servers, they would download additional malicious scripts and payloads, enabling a range of harmful activities. These actions included hijacking affiliate links for illicit financial gain, injecting scripts to track user browsing habits, and manipulating HTTP headers to disable built-in security features. Furthermore, the extensions were designed to steal sensitive user credentials and personal data.
The meticulous planning and execution of these tactics indicate that this was not an opportunistic attack but a well-orchestrated operation focused on sustained financial profit and access to victim devices. LayerX Security analysts were instrumental in uncovering the full scope of the GhostPoster campaign after Koi Security initially identified a single malicious Firefox extension. Their comprehensive investigation successfully traced the interconnected infrastructure linking all 17 discovered extensions, revealing a coordinated effort rather than isolated incidents.
Techniques Used by GhostPoster Extensions
The research further revealed the threat actor’s methodical expansion across different browser platforms. The campaign systematically moved from Microsoft Edge to Firefox and eventually to Chrome, adapting its techniques to meet the specific security requirements of each browser. A key element of the malware’s infection mechanism is its reliance on delayed execution, a deliberate strategy to evade security scanning during the initial review period.
Upon installation, the malicious extensions would remain dormant for Extended periods, often 48 hours or more, before activating their malicious functions. This delay created a significant window for the malware to slip past automated security checks. In some more advanced variants, the extensions would wait up to five days before connecting to remote servers, further extending the period during which the malware operated undetected by security tools.
The malicious code itself was embedded within the extension’s background script, utilizing encrypted payloads that were only decoded at runtime. This approach made static analysis of the extension’s code extremely difficult, ensuring the threat remained hidden until it was fully active on the victim’s machine. This sophisticated obfuscation technique is crucial for maintaining the longevity and effectiveness of such malicious extensions in the wild.
The ongoing threat posed by malicious browser extensions underscores the need for continued vigilance from both users and browser vendors. While extensions like these are eventually removed from official stores, their prolonged presence and high download counts highlight vulnerabilities in current security review processes. Users are advised to exercise caution when installing new extensions, checking reviews, developer history, and required permissions carefully. Browser developers are expected to continue refining their security protocols to better detect and prevent similar threats in the future.