AI Security Analysis: ANTAQ Pro

Analysis generated: 2025-12-12T19:40:00+13:00
Model: gemini-3-pro-preview

---

Quick Facts

Property	Value
UUID	b43f5f70-a4f3-5687-a16d-023a272200f3
Type	firefox
Version
Users	23
Risk Score	100.0/100 (CRITICAL)
Malware Detected	⚠️ Yes
Secrets Exposed	✅ No
Critical Vulns	✅ No

---

AI Analysis

Executive Summary

The ANTAQ Pro Firefox extension represents a CRITICAL security threat and should be immediately blocked and removed from all organizational assets. The analysis indicates the extension exhibits behavior consistent with a "dropper" or Remote Access Trojan (RAT), including capabilities to execute system commands, manipulate the file system, and establish persistence. With a risk score of 100/100 and an unverified publisher, this extension poses an immediate danger to system integrity and data confidentiality.

Threat Assessment

The security posture of this extension is non-existent; it appears to be malicious by design or heavily compromised.

• Malicious Capabilities: The most alarming findings are the repeated YARA matches for postinstall_system_command, postinstall_file_download, and postinstall_persistence_mechanism. In the context of a browser extension, these signatures suggest the code attempts to break out of the browser's sandbox to execute commands on the host operating system, download additional payloads, and ensure it remains active after a reboot.
• Supply Chain/NPM Indicators: The specific naming convention of the YARA rules (e.g., postinstall_...) strongly suggests the presence of malicious Node.js/npm packages embedded within the extension. This is a common vector for supply chain attacks, where a developer includes a compromised library that attempts to run malicious scripts during installation or execution.
• Evasion Techniques: The presence of postinstall_obfuscation indicates active attempts to hide malicious code from analysis, a hallmark of malware.
• Publisher Trust: The publisher "ANTAQ" is unverified, and the user count is extremely low (23). This profile is consistent with a targeted attack or a malicious extension in the early stages of distribution.

Risk Justification

The 100.0/100 Risk Score is fully justified and accurate.

1. Remote Code Execution (RCE) Indicators: The extension flags multiple rules regarding system command execution. RCE is the highest severity class of vulnerability/malware.
2. Persistence & Modification: The ability to modify files and establish persistence mechanisms elevates this from a simple data scraper to a system-level threat.
3. Volume of Findings: With nearly 3,000 total findings and 382 HIGH severity matches, the codebase is saturated with suspicious patterns.
4. Lack of Mitigation: There are no visible redeeming security features or verified trust indicators to offset these risks.

Key Findings

• System Command Execution (High Severity): Multiple instances of postinstall_system_command were detected. This indicates code designed to issue direct commands to the host OS (e.g., cmd.exe, bash), which is highly abnormal and dangerous for a browser extension.
• File System Manipulation (High Severity): Findings for postinstall_file_manipulation and postinstall_file_download suggest the extension can read, write, or delete files, and potentially download external malware payloads.
• Persistence Mechanisms (High Severity): The postinstall_persistence_mechanism finding indicates the extension attempts to modify system settings (like registry keys or startup folders) to ensure it runs automatically.
• Obfuscation (Medium/High Severity): 24 instances of obfuscation were detected. While legitimate developers sometimes use minification, combined with the other findings, this suggests an intent to conceal malicious logic.
• Network Communication (High Severity): 169 network-related findings, including postinstall_network_communication, suggest the extension is phoning home, potentially to a Command and Control (C2) server.

Recommendations

1. Immediate Removal: Force-uninstall this extension from all endpoints immediately.
2. Blocklist: Add the UUID b43f5f70-a4f3-5687-a16d-023a272200f3 to the organization's browser blocklist policy.
3. Incident Response: For the 23 users who had this installed, initiate an incident response procedure. Assume their browsers and underlying operating systems are compromised.
   • Scan for persistence mechanisms (startup items, scheduled tasks).
   • Review network logs for traffic originating from those endpoints to unknown IPs.
4. Credential Rotation: Require users who had this extension installed to rotate all credentials saved in their browser or used during the infection window.
5. Policy Review: Review policies regarding unverified extensions. Extensions with low user counts and unverified publishers should be blocked by default.

Mitigation Strategies

There are no safe mitigation strategies for this extension.

Due to the presence of Remote Code Execution (RCE) and persistence signatures, "sandboxing" or "limiting permissions" is insufficient. The extension likely contains code designed specifically to bypass standard browser restrictions. Do not use this extension under any circumstances.

Confidence Assessment

Confidence Level: 80%

While I have not performed dynamic analysis (running the code in a sandbox), the static analysis signatures are highly specific and severe. The postinstall_ class of YARA rules has a high fidelity for detecting malicious scripts often found in compromised npm packages. The combination of obfuscation, system command execution, and persistence mechanisms creates a coherent picture of a malicious threat, making the likelihood of a "false positive" extremely low.

---

Disclaimer

This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.