GoKawiilA malicious Microsoft Edge extension dubbed ‘Edgecution' has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor.
Access to the local system is obtained by leveraging the Chrome Native Messaging protocol that allows browser extensions to interact with native desktop applications, such as a password manager communicating with the extension to fill in web forms.
This allows the browser to launch the native application as a separate process and communicates with it over standard input/output data streams.
An Edgecution compromise begins with the attacker posing as IT support personnel on Microsoft Teams and directing employees to a fraudulent page under the pretense of installing a spam filter update.
Researchers at cloud security company Zscaler believe that Edgecution is deployed by an initial access broker (IAB) connected to the Payouts Kings ransomware operation.
In recent attacks using tactics previously associated with the IAB, the threat actor directed victims to a fake Microsoft “Outlook Updates Management Console” presenting download buttons for update packs or software verification.
However, the buttons downloaded malicious components, copied scripts to the clipboard, or launched forms requesting Microsoft 365 and Outlook passwords.
Fake Microsoft site
Source: Zscaler
“These buttons offer the threat actor three different options (via an AutoHotKey script, Windows batch script, and PowerShell script) to deploy the Edgecution malware,” explains Zscaler.
... continue reading