Edge users beware - this malicious extension can break out of the sandbox and install ransomware

Edge users beware - this malicious extension can break out of the sandbox and install ransomware

Hackers found a way to get an Edge extension to do their bidding.

Researchers from Zscaler found a new malware campaign dubbed Edgecution.

• Zscaler uncovered “Edgecution,” a malicious Edge extension deployed via fake Outlook update sites shared in Teams phishing
• Attack uses ZIP archives with Python runtime to escape browser sandbox, creating a backdoor capable of shell/PowerShell execution and system data theft
• Believed linked to Initial Access Brokers tied to ransomware group Payout Kings, showing evolving sophistication in access‑for‑sale operations

If you are using the Edge browser be careful - there is a malicious campaign going round that uses the browser to deploy a backdoor via an extension.

According to security researchers Zscaler, scammers are reaching out to their victims via Microsoft Teams, pretending to be IT support. They claim the user needs to install an Outlook update, or a spam filter, and direct the victims to a fake “Outlook Updates Management Console” website. There, the users are instructed to run one of the three provided processes, all of which download a ZIP archive that, when executed, creates a scheduled task.

This task starts the Edge browser in headless mode (invisible to the user) and installs an extension officially called “Edge Monitoring Agent”. Zscaler, on the other hand, calls it “Edgecution”.

Creating a Native Messaging manifest

The ZIP archive also contains an embedded Python runtime and a Python-based backdoor. The runtime creates a Native Messaging manifest - a file that tells the browser how to communicate with the backdoor. That’s the way the threat actors managed to escape the browser’s sandbox and run the backdoor on the compromised computer itself.

That backdoor can do multiple things, from executing shell commands, to running PowerShell and arbitrary Python code. It can also write files on the host, enumerate running processes, and gather system information.

Zscaler believes this is the work of an Initial Access Broker (IAB), a malicious group whose only job is to obtain access to a victim’s infrastructure and then sell it - or share it with a partnering group. This particular IAB, the researchers believe, is connected to a ransomware operation called Payout Kings.

“The Edgecution browser extension illustrates the evolving sophistication of initial access brokers operating in the ransomware landscape,” Zscaler warns. “The reliance on a malicious browser extension to relay commands to a Python-based native host demonstrates a creative approach to evade traditional endpoint detection.”

A full list of Indicators of Compromise (IoC) can be found on this link.

Via BleepingComputer

➡️ Read our full guide to the best antivirus

1. Best overall: Bitdefender Total Security
2. Best for families: Norton 360 with LifeLock
3. Best for mobile: McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.