2:20:05 No, not ghost peppers. Ghost posting. Ghost posting. Okay, so our final podcast of 2025 was titled Ghost Poster. For the short summary at the top of the show notes, I summed it up by writing how a PNG icon was used to infect 50,000 Firefox users. Oh, man. The discoverer of 17 different malicious Firefox add-ons was Koi Security, K-O-I. They discovered that PNG icon files were being used to contain and infiltrate obscured JavaScript into user PCs through Firefox extensions.
2:20:55 Some of the extensions were free VPNs and others were junk extensions that, you know, someone who just wanted to collect free browser add-ons might add to their browsers. Nevertheless, more than 50,000 Firefox users had this malicious code running inside their browsers. So one of our takeaways was to avoid collecting crap from obscure sources that you don't really need. And by the way, the phrase free VPN is an oxymoron. Yes, do not know there's something wrong. There's something wrong with a free VPN folks because you know it goes along with free lunch. Okay so that yeah so that was episode 1057. Why are we back here four weeks later for episode 1061?
2:21:48 It's because following Koi Security's discovery, a different firm, LayerX, has reported their discovery of an additional 17 of the same. But this time they're not just attacking Firefox. Users of Edge and Chrome turn out to have been even earlier targets. And get this, with more than 840,000 downloads and installations. So 840,000 downloads and installations. Unfortunately, these attacks are incredibly effective, lucrative, and that's we know what that means, right? They're going to continue. Layer X's disclosure headline was browser extensions gone rogue. The full scope
2:22:41 of the ghost poster campaign. So here's what we now learn from Layer X's follow-on research. They wrote, last month, researchers from Koi Security published a detailed analysis of a malicious Firefox extension, they actually extension family, they dubbed GhostPoster, a browser-based malware leveraging an uncommon and stealthy payload delivery method, steganography. within a PNG icon file. This innovative approach allowed the malware to evade traditional extension security reviews and static analysis tools. Right? Because nobody expected an icon to contain any malicious code, but nor did they expect it to be intelligible. It's a compressed image, so it's just going to be noise.
2:23:38 Not so much. They said following their publication, meaning COI's publication, our investigation identified 17 additional extensions associated with the same infrastructure and tactics, techniques, and procedures, so-called TTPs, tactics, techniques, and procedures. Collectively, these extensions were downloaded over 840,000 times. With some remaining active in the wild for up to five years, the GhostPoster malware employs a multi-stage infection chain designed for stealth and persistence. Payload encoding, the initial loader is embedded within the binary data of an extension's PNG file.
2:24:30 runtime extraction. Upon installation, the extension parses the icon to extract the hidden data, a behavior that deviates from typical extension logic. Delayed activation. The malware delays execution by 48 hours or more and only initiates command and control server communication under specific conditions. And finally, payload retrieval. The extracted loader contacts a remote command and control server to download additional JavaScript-based payloads.
2:25:06 After activation, the malware is capable of stripping and injecting HTTP headers to weaken web security policies, for example, HSTS and CSP, hijacking affiliate traffic monetization, injecting iframes and scripts for click fraud in user tracking, programmatic capture solving and injection of additional malicious scripts for extended control. These features indicate a campaign is not only fine that the campaign is not only financially motivated, but also technically mature, emphasizing operational stealth and longevity, right? I mean, these things were there
2:25:55 in the extension stores for Edge, Firefox, and Chrome for five years in some cases. The infrastructure they wrote, uncovered by Koi Security, was linked to 17 Firefox extensions, all sharing similar obfuscation patterns, command and control behavior, and delayed execution strategies. Our automated extension malware lab feature confirmed the same threat actor infrastructure and was and was also able to distribute extensions on the Google Chrome and Microsoft Edge add-ons store. Our analysis shows the campaign originated on the Microsoft Edge browser with later expansion into Chrome and Firefox.
2:26:46 So I have in the show notes a timeline for anyone who's interested. It provides a chart which shows that the first known extension infected Edge browser users back in February of 2020. And none of this was known until just last month. So from 2020, it's been there. About six weeks later at the end of March of 2020, Firefox was first hit. It was hit again at the beginning of May. Then a run of eight more malicious Edge extensions were released over the course of two years, from the end of August 2020 through the end of September 2022. A month later, at the start of October 22, the first Chrome extension was created. Then things were quiet for nearly two years until another, because these extensions existed and they were just sitting there doing their business.
2:27:43 Two years later, another Edge extension appeared in August of 2024. But then after that, it was all Firefox from the end of October 2024 to today. So it's interesting that throughout all this time, only two known malicious extensions were seen to affect Chrome. It would be interesting to know why, since that's clearly Chrome is clearly the largest potential source of user installations. But in any event, 840,000 is a lot of malware out there.
2:28:23 The layer X people expanded upon coils earlier findings and they reported 17 additional confirmed extensions with with infrastructure overlap and common loader patterns meaning certainly from the same people more than an additional 840 thousand so that's on top of the 50 that koi found bringing us what to 890, almost 900,000 cumulative installs across Firefox, Chrome and Edge. Malicious presence dating back to 2020 indicating long-term operational successes, bypassing all major browser stores security checks. So these bad guys,
2:29:09 now six years ago, found a way to slip malware past all the stores security checks by encoding them in the back end of a PNG icon. And they said, malware variants using alternative delivery mechanisms, which suggests that there is still ongoing experimentation and adaptation. Now, Beyond the previously identified extensions, we observe a more sophisticated and evasive variant associated with the campaign, which by itself accounted for 3,822 installs. I have a picture of it in the show notes only because
2:30:00 Anybody would install this. It shows Firefox browser add-ons. It's got a nice looking icon. It's called Instagram Downloader and it's by Instagram Download. available on Firefox for Android. It's got 28 reviews at a 4.4 seems reasonable, and currently 3822 users. And there's a nice button, download Firefox and get the extension. Who wouldn't do this? I mean, this is the problem. This looks like a legitimate, useful thing.
2:30:43 So in this iteration, which the layer X people found, the malicious logic is embedded within the background script and leverages an image file bundled inside the extension as a covert payload container. At runtime, the background script fetches the image and scans its raw byte sequence for the delimiter in decimal, it's 62626262, which corresponds to the ASCII string of a sequence of four less than symbols.
2:31:20 All data following that marker is decoded as text and stored persistently in chrome.storage.local under the key inst logo, I-N-S-T-L-O-G-O. The stored data is later retrieved, Base64 decoded, and dynamically executed as an additional JavaScript payload. This secondary script introduces further evasion by deliberately sleeping for approximately five days before initiating any network activity. This of course is to thwart security analysis. Security researchers will load up a browser with stuff, set it to running, and watch to see what it does.
2:32:07 they generally won't wait for five days. Users do. Five days afterwards, upon activation, it fetches content from a remote server, extracts server supply data stored as base64 encoded keys and executes the decoded content, enabling ongoing payload updates and extended control. The staged execution flow demonstrates clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms. They said while Mozilla and Microsoft have removed the known malicious extensions from their respective stores, extensions already installed on systems remain active unless explicitly removed by the user.
2:32:58 This persistence underscores the limitations of store takedowns as a containment strategy, particularly for malware employing delayed activation and modular payload delivery. Okay, now, they listed a bunch of their 17 something called page screenshot clipper only had 86 downloads. The full page screenshot had 2000 downloads, the convert everything, whatever that is had 17,171. But the translate selected text with Google
2:33:40 had a just shy of 160,000 downloads. And among them, the biggest was by all time, the number one was translate selected text with right click had 522,000 downloads. So this translation hook seems to be offering something that people want. Unfortunately, These things were malicious. Um, they're not going to, they're not going to say something you don't want. No, no. I'm going to say something you want. Right. Right. And what, what, what this is T is teaching them is that by offering these bogus translation apps, they're able to get a lot of downloads. So, so that's clearly a hook that,
2:34:33 that interests people. They've figured out what it is people are gonna download for free. It can't be too valuable or you wouldn't think it was free. So it's gotta be something like kind of simple and cool. Well, like that Instagram downloader, right? While we all might determine that something seems fishy about an offer of a free VPN, that screenshot that we showed of the Instagram downloader looks, entirely legitimate and i can imagine downloading it without ever being the wiser so this is really because it's easy for bad guys to write this stuff now i mean the vibe coding that makes it easy for us to write what we want yep yep makes it easy for them to really true
2:35:19 One thing that puzzles me is LayerX's suggestion that the removal of extensions from the web store leaves any already downloaded and installed extensions in place and dangerous. We know that all the browser vendors have the ability to remotely disable any browser extensions that are found to be malicious. I suppose it might be the case that a malicious extension that its malicious publisher withdraws from the store Might slip under the radar since it's no longer being offered if it's removed from the store maybe just doesn't raise a beacon.
2:35:59 And it might also be that the post installation mechanisms which these extensions use by moving their later downloaded code into the browser's permanent store affords them some post removal protection. I don't know. But the convincing appearance of that Instagram download extension is, as I said, that seems unnerving to me. It's important to note that Koi Was aware of around fifty thousand downloads and installs because for whatever reason they apparently were not looking back far enough. The instrumentation that the layer x people had gave them five years of history and they found eight hundred and forty or they found seventeen more extensions whose downloads totaled more than eight hundred forty thousand. So i think one of the important takeaways here is that we must always remember that we can never know what we don't know there's no point
2:36:57 In getting you know overly worked up over things that we cannot control nor excessively worrying over. What we don't know i would just say don't be skeptical don't install extensions just because you know you got room on your toolbar for more of them. You know what is a useful tool keep the things you need and it like seem that they come from real no legitimate enterprises i mean i've obviously i've got. bit bit locker, what am I trying to say bit locker? No, not bit locker. Bit warden, thank you. I'm just blank drawing a blank. I've got I'm sitting here looking at I've got bit bit warden sitting on my toolbar, and a few other things that I trust that I've been using for years, you know, the the the vertical tabs extension for Firefox and a few other things, but I just
2:37:59 Avoid more and that would be the advice everybody rule of thumb for all software install yes as little software as possible it's not just browser extensions it's you know it's like the browser download helper who needs help downloading a file. We used to we used to that was a very common category i don't know some people's heads probably. The boomers amongst us. But yeah, this was always I started saying this on a regular basis on the tech guy show it's like really the real rule is install as little as possible.
