A recently exposed malware campaign reveals a sophisticated threat leveraging a browser extension to compromise computer systems. Security experts have discovered that a malicious Microsoft Edge extension is being used to bypass the browser’s security measures, allowing attackers direct access to victims’ computers.
Security Breach via Microsoft Teams
This alarming campaign is linked to an initial access broker associated with the Payouts King ransomware syndicate, highlighting the advanced nature of browser-based attacks today. The attackers reach their targets through Microsoft Teams, posing as IT personnel, and instructing victims to update their spam filters.
Victims are then misdirected to a counterfeit Microsoft website, which provides fraudulent download links labeled as Outlook updates. These downloads covertly install malware on the unsuspecting user’s machine, evading immediate detection.
Edgecution: A Stealthy Threat
Zscaler ThreatLabz analysts have been monitoring this operation, dubbing the malware ‘Edgecution.’ Their report indicates that the malware operates through a dual-component structure, enabling comprehensive control over the compromised system. Individually, these components might not trigger alarms, but together they establish a formidable backdoor.
The fake website masquerades as an ‘Outlook Updates Management Console,’ offering three infection vectors: an AutoHotKey script, a Windows batch script, and a PowerShell script. Each method results in a hidden Edge browser session, silently activating the malicious extension without alerting the user.
Exploiting Chrome’s Native Messaging
The campaign exploits Chrome’s native messaging protocol, intended for safe communication between browser extensions and trusted applications. Edgecution subverts this protocol to send commands from the extension to a Python backdoor on the host machine, bypassing the browser’s sandbox restrictions.
A native messaging manifest registers a fake application called ‘Edge Monitoring Agent,’ allowing it to relay commands from the attacker’s control server to the backdoor. This communication is facilitated through the chrome.runtime.sendNativeMessage API call, enabling the backdoor to execute unauthorized activities.
Advanced Evasion Techniques
The Python backdoor is equipped to execute shell commands, write files, run PowerShell scripts, list processes, and execute custom Python code. It processes each command in JSON format, ensuring stealth by shutting down immediately after execution to avoid detection by security software.
To further conceal its presence, the malware stores a decryption key in the Windows registry, keeping its strings encrypted. The extension operates in a headless Edge window, and all command and control (C2) traffic is routed through Amazon CloudFront subdomains, mimicking legitimate cloud activity.
Security Recommendations
Zscaler advises organizations to closely monitor browser extension installations and enforce strict controls over native messaging host configurations. Educating users to recognize phishing attempts impersonating IT staff is crucial. A multilayered defense strategy remains the best safeguard against such intricate threats combining social engineering with advanced technical exploits.
Indicators of compromise include specific URLs and SHA256 hashes related to the Edgecution malware. These details are essential for cybersecurity teams to identify and mitigate potential risks.
