Microsoft has taken decisive action against a series of malicious extensions on its Edge Add-ons store, which concealed malware within ordinary image and font files. These extensions, collectively known as StegoAd, were used to steal user credentials and perpetrate ad fraud, affecting up to 2.6 million users. The issue came to light after Microsoft linked 119 extensions to a single threat actor, believed to be active since at least 2021.
Understanding the StegoAd Threat
The StegoAd operation involved extensions that appeared innocuous, such as ad blockers and VPNs, which users typically download without much scrutiny. These extensions operated normally and collected positive reviews, while malicious code remained dormant until it bypassed security checks. This allowed the extensions to evade detection for years, staying active in the store.
Microsoft noted that although the extensions had a combined install base of up to 2.6 million, this number represents potential exposure rather than confirmed victim count. The payload activation was delayed for several days post-installation and included server-side validation, limiting the actual number of compromised users.
The Technique of Steganography in Malware
Steganography, the art of hiding code within benign files, was central to the StegoAd campaign. Initially, malicious JavaScript was appended to PNG files, which static scanners failed to identify. As detection methods improved, the threat actors shifted to using WebP images and WOFF2 font files, embedding code in complex glyph ranges.
Some variants did not even carry the payload directly but retrieved images from command-and-control servers. These images underwent multiple decoding processes and were validated against specific signatures before execution, showcasing a sophisticated approach to evasion.
Consequences and Mitigation Strategies
The visible impact of these extensions was ad fraud, evident through injected ads and hijacked affiliate commissions. However, Microsoft’s analysis revealed deeper threats, including remote code execution, credential theft, and session hijacking. The threat actors also utilized Google Analytics for covert telemetry, highlighting their operational sophistication.
To counter these threats, Microsoft removed all implicated extensions and suspended associated developer accounts. Users are advised to inspect their installed add-ons via edge://extensions and change passwords for sensitive accounts if affected. Enabling strong two-factor authentication is recommended to enhance security.
Microsoft’s findings suggest a connection between StegoAd and known malicious campaigns like ShadyPanda and GhostPoster. Although Microsoft has not identified the threat actor, the overlapping tactics and extension names indicate a complex and ongoing operation.
