A malicious Microsoft Edge extension dubbed ‘Edgecution’ has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor.
Access to the local system is obtained by leveraging the Chrome Native Messaging protocol that allows browser extensions to interact with native desktop applications, such as a password manager communicating with the extension to fill in web forms.
This allows the browser to launch the native application as a separate process and communicates with it over standard input/output data streams.
An Edgecution compromise begins with the attacker posing as IT support personnel on Microsoft Teams and directing employees to a fraudulent page under the pretense of installing a spam filter update.
Researchers at cloud security company Zscaler believe that Edgecution is deployed by an initial access broker (IAB) connected to the Payouts Kings ransomware operation.
In recent attacks using tactics previously associated with the IAB, the threat actor directed victims to a fake Microsoft “Outlook Updates Management Console” presenting download buttons for update packs or software verification.
However, the buttons downloaded malicious components, copied scripts to the clipboard, or launched forms requesting Microsoft 365 and Outlook passwords.
Source: Zscaler
“These buttons offer the threat actor three different options (via an AutoHotKey script, Windows batch script, and PowerShell script) to deploy the Edgecution malware,” explains Zscaler.
“When the AutoHotKey script or clipboard content is executed, the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.”
The malware components are fetched from the fake Microsoft update site in a ZIP archive fetched with malformed headers to prevent security products from recognizing it as a valid archive.
According to the researchers, the ZIP file contains an embedded Python version 3.13.3 and two directories named extension and native, providing a hint about the technique used in the attack.
The first malware component is the malicious Microsoft Edge extension disguised as an Edge Monitoring Agent. It connects to the attacker’s command-and-control (C2) endpoint, receives instructions for execution, and sends the results back to the operator.
The Edgecution malware runs in a headless Edge browser, making it invisible to the user, and uses Chrome’s Native Messaging protocol to talk to a local application.
The extension is limited to the browser’s sandbox, but the attacker overcomes this limitation through a second malware component, a Python-based backdoor that serves as the host-level executor.
This component receives commands that are relayed from the malicious extension, and can potentially request the following jobs:
- Execute shell commands
- Run PowerShell
- Run arbitrary Python code
- Write files on the host
- Enumerate running processes
- Gather system information
The role of the scripts is to provide a way for the extension to launch the Python backdoor. This is achieved by creating in the native directory a batch file the extension can invoke.
Additionally, they create the required Chrome native messaging manifest that describes how the browser can connect to the native app.
Zscaler’s technical analyis notes that both malware components have some unused commands that could be activated in future versions.
The researchers warn that the method used by Edgecution “illustrates the evolving sophistication” of threat actors tied to ransomware operations, and allows them to establish persistence on compromised hosts.
They recommend that organizations strengthen monitoring of browser extensions and enforce strict controls over native messaging host configurations to reduce the risk of compromise.
ZScaler’s report provides a list of indicators of compromise (IoCs) that include command and control servers used by Edgecution, hashes for the malicious extension, and the Python backdoor.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
