Security researchers at Koi Security have uncovered a large-scale, multi-faceted cybercrime campaign dubbed GreedyBear. The operation involves over 150 weaponized Firefox extensions, nearly 500 malicious Windows executables, and dozens of phishing websites. The campaign is responsible for an estimated $1 million in stolen cryptocurrency and appears to be expanding beyond Firefox to other browsers.

‍

Attack Methods

1. Malicious Firefox Extensions (150+):
   • Extensions impersonate popular cryptocurrency wallets (MetaMask, TronLink, Exodus, Rabby Wallet, etc.).
   • Operators use an Extension Hollowing technique: upload benign extensions, build trust through fake reviews, then replace code and branding with malicious functionality.
   • Injected code captures wallet credentials from extension popups and exfiltrates them to attacker-controlled servers.
2. Malicious Executables (~500 Samples):
   • Distributed mainly through Russian-language pirated software websites.
   • Payloads include credential stealers (e.g., LummaStealer), ransomware variants, and generic trojans.
   • Infrastructure reused across extensions and executables, pointing to a centralized backend.
3. Phishing and Scam Sites:
   • Fake product pages for hardware wallets, fraudulent wallet repair services, and other crypto-related offerings.
   • Aim to steal wallet credentials, personal information, and payment details.

‍

Indicators of Compromise (IOCs)

• IP Addresses: 185.208.156[.]66, 185.39.206[.]135
• Domains: exodlinkbase[.]digital, filecoinwallet[.]net, metahoper[.]digital, suinetwork[.]world.
• Firefox Extension IDs: Hundreds identified, including exodus-addon, rabby-wallet-extension, metamask_browser, okx-extension-wallet, phantom-wallet-addon.
• Chrome Extension IDs: e.g., plbdecidfccdnfalpnbjdilfcmjichdk (Filecoin Wallet).

‍

Potential Impact

• Theft of cryptocurrency wallet credentials and funds.
• Installation of secondary malware, including ransomware.
• Fraud via stolen payment details or personal data.
• Threat actor expansion into Chrome, Edge, and other browser ecosystems.

‍

Mitigation Recommendations

• For End-Users:
  • Only install extensions from verified publishers and confirm legitimacy via the official project website.
  • Regularly audit installed extensions and remove any that are unrecognized.
  • Keep browser and extensions updated.
  • Use endpoint protection tools capable of detecting malicious extensions and executables.
• For Enterprises:
  • Restrict installation of unapproved browser extensions via policy.
  • Monitor for connections to known malicious domains and IP addresses listed above.
  • Educate employees on the risks of installing wallet-related extensions from unverified sources.

‍

Conclusion

The GreedyBear campaign demonstrates how cybercriminal groups are adopting multi-pronged strategies and leveraging AI to scale their operations, diversify their toolsets, and evade detection. Given signs of expansion to other platforms, proactive detection and prevention measures are critical.