A sophisticated Firefox extension malware employs multiple evasion techniques including steganographic payloads hidden in PNG icons, a 72-hour delayed C2 beacon, and content script privilege escalation to hijack affiliate commissions and redirect traffic. The article introduces a Python scanner tool to aid in detecting such threats within .xpi files. No specific CVSS score, affected software versions, patches, or workarounds are provided in the source material.
I've written a scanner for browser extensions which makes it quick and easy to find malware or other suspicious code withing .xpi files (browser extensions). It can quickly tell you where to continue doing your analysis and if an extension is alright or not. browser-xpi-malware-scanner.py - Python script for XPI malware scanning on github.com Deep dive of malware found on firefox extension store - multiple evasion techniques used including steganography, sleep before C2 beacon and content script privilege escalation. Techniques used: Steganographic Payload in PNG Icon Unicode Low-Byte Encoding Trick Decoded Payload: The C2 String Table 72-Hour Sleeper with Random Sampling C2 Beacon via Another PNG File Dynamic `declarativeNetRequest` Rule Injection Affiliate Commission Hijacking Content Script Privilege Escalation Bridge Arbitrary URL Redirect on Any Domain CSP Erasure Full deep dive analysis with code examples in link above. The extension discussed is live as of today. submitted by /u/TitleUpbeat3201 [link] [comments]