- Zscaler discovered “Edgecution”, a malicious Edge extension deployed via fake Outlook update sites shared in Teams phishing
- The attack uses ZIP files with Python runtime to escape the browser sandbox, creating a backdoor capable of executing shell/PowerShell and stealing system data.
- It is believed to be linked to initial access brokers linked to the Payout Kings ransomware group, showing evolving sophistication in access-for-sale operations.
If you are using the Edge browser, be careful: there is a malicious campaign that uses the browser to implement a backdoor via an extension.
According to security researcher Zscaler, scammers reach their victims through Microsoft Teams, posing as IT support. They claim that the user needs to install an Outlook update or spam filter and direct victims to a fake “Outlook Update Management Console” website.
There, users are instructed to run one of three provided processes, all of which download a ZIP file that, when run, creates a scheduled task. This task starts the Edge browser in headless mode (invisible to the user) and installs an extension officially called “Edge Monitoring Agent”. Zscaler, on the other hand, calls it “Edgecution.”
Create a native messaging manifest
The ZIP file also contains an embedded Python runtime and a Python-based backdoor. The runtime creates a native messaging manifest: a file that tells the browser how to communicate with the backdoor. This is how the threat actors managed to escape the browser sandbox and execute the backdoor on the compromised computer.
That backdoor can do a number of things, from running shell commands to running PowerShell and arbitrary Python code. It can also write files to the host, list running processes, and collect system information.
Zscaler believes this is the work of an initial access broker (IAB), a malicious group whose only job is to gain access to a victim’s infrastructure and then sell it or share it with an associated group. Researchers believe this particular IAB is connected to a ransomware operation called Payout Kings.
“The Edgecution browser extension illustrates the evolving sophistication of initial access agents operating in the ransomware landscape,” warns Zscaler. “Reliance on a malicious browser extension to transmit commands to a native Python-based host demonstrates a creative approach to evade traditional endpoint detection.”
You can find a complete list of Indicators of Compromise (IoC) at this link.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
