A sophisticated new malware campaign dubbed “GhostPoster” has been uncovered, leveraging a clever steganography technique to compromise approximately 50,000 Firefox users.
The attack vector primarily involves seemingly innocent browser extensions, such as “Free VPN Forever,” which conceal malicious payloads within their own interface icons.
Unlike traditional malware that relies on external downloads or obvious script injections, GhostPoster embeds its initial execution logic directly in the raw bytes of a PNG file, thereby bypassing standard security scanners and marketplace reviews that typically treat image files as benign assets.
The infection process begins when the compromised extension loads its logo.png file during regular operation.
.webp "New GhostPoster Attack Leverages PNG Icon to Infect 50,000 Firefox Users 2")
Instead of simply displaying the image, the extension’s code reads the file’s binary data and searches for a specific hidden marker, identified as the sequence 0x3D 0x3D 0x3D (== =).
Once triggered, this mechanism extracts concealed JavaScript code that initiates a multi-stage infection chain.
This stealthy approach allows the malware to persist on the victim’s browser, enabling operators to execute remote commands, strip security headers, and hijack user traffic for affiliate fraud without raising alarms.
Koi analysts noted that the campaign spans at least 17 extensions, all communicating with the same command-and-control infrastructure, including liveupdt.com.
These researchers found that the malware not only compromised user privacy by injecting tracking scripts but also disabled critical browser protections, such as Content-Security-Policy headers.
By removing these safeguards, the attackers exposed users to additional risks, including cross-site scripting and clickjacking, while silently generating illicit revenue through forced redirects to e-commerce sites.
The extensions often remained dormant for days, utilizing time-based triggers to avoid immediate detection during the initial installation phase.
The Decryption Mechanism
The most technically intriguing aspect of GhostPoster is its custom decoding routine that unpacks the payload retrieved from its command-and-control servers.
After the initial loader retrieves the encrypted data, it applies a unique three-step transformation algorithm to reconstruct the JavaScript executable.
The process involves swapping all lowercase letters to uppercase and vice versa, exchanging the numbers ‘8’ and ‘9’, and finally performing a Base64 decode.
.webp "New GhostPoster Attack Leverages PNG Icon to Infect 50,000 Firefox Users 4")
This obfuscation is computationally simple yet effective at evading static signature detection. Following this decoding step, the payload is further processed using XOR encryption derived from the extension’s unique runtime ID.
This ensures the decrypted code exists only in the browser’s memory, leaving no static file footprint for forensic tools to analyze.
.webp "New GhostPoster Attack Leverages PNG Icon to Infect 50,000 Firefox Users 5")
The malware intentionally introduces random delays and only fetches the payload occasionally, making dynamic analysis challenging for security teams attempting to replicate the infection in a controlled environment.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
