- 119 malicious Edge extensions flew under the radar
- They installed malicious code days after extension installation
- It’s proof that static code review is no longer sufficient
Microsoft says it has removed 119 malicious extensions from the Edge Add-ons store after “proactive threat hunting” uncovered a campaign dubbed StegoAd.
As part of the program, the company also had to suspend more than 90 developer accounts related to the risky activity.
Believed to have been active since at least 2021, the malicious browser extensions were believed to have been downloaded a total of 2.6 million times.
Microsoft removes 119 ‘StegoAd’ malicious extensions
The campaign was so broad that the extensions did not occupy just one category: ad blockers, VPNs, video downloaders, translators and utilities such as PDF exporters were all tricks of the malicious extensions.
This particular campaign gets its name from the type of tactics used – steganography is the name for hiding malicious code inside seemingly harmless files. PNG images, SVG graphics and font files had hidden JavaScript embedded inside to bypass traditional antivirus tools and web filtering.
Once installed, Microsoft says they remained dormant for three to five days to avoid detection before proceeding to steal browser credentials, redirect users to malicious websites, manipulate affiliate links for financial gain, download additional malicious code, and even communicate with C2 servers for updated instructions.
“The StegoAd campaign demonstrates that browser extensions remain a potent and evolving attack surface,” Microsoft wrote, admitting that even its own security measures had missed these risky extensions.
The report also concludes that static code review alone is no longer sufficient because extensions and other installations can download malicious code long after they were first installed.
For developers themselves, Microsoft recommends being as clear as possible by not hiding code, requesting only the necessary permissions to build trust and report any suspected impersonation.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
