We Detected 17 Malicious VPN Extensions Affecting 840,000 Users

Researchers discovered 17 malicious extensions for browsers such as Firefox, Chrome, and Edge, which infected over 840,000 users. The campaign, called GhostPoster, hides malicious code within image files. The vulnerability lies in the extension review process.

Last month, Koi Security published a report about a Firefox extension named Free VPN Forever. The study emphasized that while each extension has a logo for identification, we rarely consider what is hidden inside that file.

How GhostPoster Hides Malware in Extensions

Cybercriminals used a technique known as steganography, the art of hiding information in seemingly innocuous files. They inserted malicious JavaScript code after the data from the PNG image, making the icon visually normal but functioning as an entry point for attackers.

After the initial exposure by Koi Security, LayerX investigated and found that the problem was broader. By tracing the infrastructure of the extensions, they identified 17 additional extensions that used the same servers and tactics.

These extensions, collectively, were installed over 840,000 times. Some remained active on devices for nearly five years passively, highlighting the limitations of current security methods.

Free VPNs Are Prime Targets for Malware Infections

The campaign did not begin on Firefox; its initial activities were traced on Microsoft Edge and expanded to Chrome and Firefox over time. The gradual expansion suggests a long-term operation that prioritized persistence over immediate profits.

Although GhostPoster does not use revolutionary techniques, it combines multiple layers of evasion that make it difficult to detect. The malicious code was hidden behind the marker "===" in the PNG file of the logo. Static analysis tools that examine JavaScript code typically do not consider the content of image files.

The additional code was not the final malware but a loader, a small program whose function was to fetch the actual payload from servers controlled by the attackers. This structure means that malware never exists as a static file, rendering it invisible to traditional analyses.

Malware Exhibits Deceptive Behavior

Moreover, the malware was designed to be inconsistent. It waits 48 hours between connection attempts, downloads the real payload only 10% of the time, and waits 6 days after installation to activate. This randomness complicates detection by antivirus systems.

When the payload finally reaches the server, it is encoded with a unique scheme that swaps uppercase and lowercase letters, inverts numbers, and encrypts using a specific key for each browser.

Once installed, GhostPoster quietly connects to various platforms and monitors users' browsing, especially e-commerce sites. It replaces affiliate link commission codes, causing malware operators to profit at the expense of the legitimate affiliate.

Additionally, the malware injected a Google Analytics tracking code on all visited pages. It also creates invisible HTML elements with installation data and user interactions while removing HTTP security headers from all responses, making users susceptible to other attacks.

The malware also has methods to bypass CAPTCHA challenges, essential for avoiding detection by security systems.

The Growing Threat of Malicious Extensions

GhostPoster is not an isolated case. Weeks earlier, LayerX exposed another extension, Urban VPN Proxy, which affected over 8 million users by collecting data from conversations with Artificial Intelligences. Before that, the extension FreeVPN.One, with over 100,000 installations, was also discovered capturing screenshots of users' sensitive information.

Following the disclosure of this information, Mozilla and Microsoft removed the identified extensions from their stores, but these were removed only for new downloads. Those already installed continue to operate, indicating that hundreds of thousands of users may remain uninformed and vulnerable.

The impact of the discovery of these malicious extensions highlights the urgent need for more robust review processes to protect users and the integrity of platforms.