A malicious Microsoft Edge extension called Edgecution has been used in ransomware attacks to escape browser sandboxes by leveraging Chrome's Native Messaging protocol, enabling communication between the extension and a Python-based backdoor. The attack begins with threat actors posing as IT support on Microsoft Teams, directing victims to a fake Microsoft update page where malicious components are downloaded. The ZIP archive contains a Python interpreter and two directories named extension and native, with the extension disguised as an Edge Monitoring Agent running in a headless browser.
The extension connects to a command-and-control server, receiving instructions that are relayed to the Python backdoor through Native Messaging, which executes shell commands, runs PowerShell and arbitrary Python code, writes files, and gathers system information. The malware uses malformed ZIP headers to evade security detection, with AutoHotKey, batch, or PowerShell scripts configuring the environment, extracting files, and creating scheduled tasks. Zscaler attributes the campaign to an initial access broker connected to the Payouts Kings ransomware operation, with unused commands suggesting potential future expansion.
Researchers recommend organizations strengthen browser extension monitoring and enforce strict controls over native messaging host configurations. The extension operates invisibly to users, while the native messaging manifest enables communication between the browser and the backdoor. Indicators of compromise including command-and-control servers and file hashes are available in Zscaler's report. The technique represents an evolution in sophistication for ransomware-linked threat actors establishing persistence on compromised hosts.
Read more...