- Zscaler discovered “Edgecution,” a malicious Edge extension deployed via fake Outlook update sites shared in Teams phishing
- The attack uses ZIP archives with the Python runtime to escape the browser sandbox, creating a backdoor capable of running a shell/PowerShell and stealing system data.
- It is believed to be linked to Initial Access Brokers and the Payout Kings ransomware group, demonstrating increasing sophistication in sell-side access operations.
If you use the Edge browser, be careful: a malicious campaign is underway that uses the browser to deploy a backdoor via an extension.
According to security researchers Zscaler, fraudsters contact their victims via Microsoft Teams, pretending to be IT support. They claim that the user needs to install an Outlook update or spam filter and direct victims to a fake “Outlook Updates Management Console” website.
There, users are prompted to run one of three provided processes, all of which download a ZIP archive which, when executed, creates a scheduled task. This task starts the Edge browser in headless mode (invisible to the user) and installs an extension officially called “Edge Monitoring Agent”. Zscaler, on the other hand, calls it “Edgecution”.
Creating a native messaging manifest
The ZIP archive also contains a built-in Python runtime and a Python-based backdoor. The runtime creates a native messaging manifest: a file that tells the browser how to communicate with the backdoor. This is how the threat actors managed to escape the browser sandbox and execute the backdoor on the compromised computer itself.
This backdoor can do several things, from running shell commands to running PowerShell and arbitrary Python code. It can also write files to the host, enumerate running processes, and collect system information.
Zscaler believes this is the work of an Initial Access Broker (IAB), a malicious group whose sole job is to gain access to a victim’s infrastructure and then sell it – or share it with a partner group. According to researchers, this particular IAB is linked to a ransomware operation called Payout Kings.
“The Edgecution browser extension illustrates the growing sophistication of initial access brokers operating in the ransomware landscape,” Zscaler warns. “Using a malicious browser extension to relay commands to a native Python-based host demonstrates a creative approach to evading traditional endpoint detection.”
A complete list of Indicators of Compromise (IoC) can be found at this link.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
