- Zscaler exposed “Edgecution”, a malicious Edge extension deployed via fake Outlook update sites shared in Teams phishing
- Attack uses ZIP archives with Python runtime to escape browser sandbox, creating a backdoor capable of shell/PowerShell execution and system data theft
- Believed to be linked to Initial Access Brokers, linked to ransomware group Payout Kings, showing evolving sophistication in access-to-sell operations
If you use the Edge browser, be careful – there is a malicious campaign running that uses the browser to implement a backdoor via an extension.
According to security researchers Zscaler, scammers reach out to their victims via Microsoft Teams and pretend to be IT support. They claim that the user must install an Outlook update or a spam filter and direct victims to a fake “Outlook Updates Management Console” website.
There, users are instructed to run one of three provided processes, all of which download a ZIP archive that, when executed, creates a scheduled task. This task starts the Edge browser in headless mode (invisible to the user) and installs an extension officially called “Edge Monitoring Agent”. Zscaler, on the other hand, calls it “Edgecution”.
Creating a Native Messaging Manifest
The ZIP archive also contains an embedded Python runtime and a Python-based backdoor. The runtime creates a Native Messaging manifest – a file that tells the browser how to communicate with the backdoor. This was how the threat actors managed to escape the browser sandbox and backdoor the compromised computer itself.
That backdoor can do several things, from executing shell commands to running PowerShell and arbitrary Python code. It can also write files on the host, enumerate running processes and collect system information.
Zscaler believes this is the work of an Initial Access Broker (IAB), a malicious group whose sole job is to gain access to a victim’s infrastructure and then sell it – or share it with a partner group. This particular IAB, the researchers believe, is linked to a ransomware operation called Payout Kings.
“The Edgecution browser extension illustrates the evolving sophistication of early access brokers operating in the ransomware landscape,” warns Zscaler. “The reliance of a malicious browser extension to forward commands to a Python-based native host demonstrates a creative approach to avoid traditional endpoint detection.”
A complete list of indicators of compromise (IoC) can be found at this link.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
