Malicious Edge Extension Uses Chrome Native Messaging
Malicious Edge extension uses Chrome native messaging to execute code, a technique that has enabled attackers to bypass browser security and compromise victim systems. This campaign, dubbed Edgecution, demonstrates how browser extensions can be weaponised and highlights the growing sophistication of cyber threats targeting everyday tools.
How the Edgecution Campaign Unfolded
Social Engineering and Initial Access
Attackers contacted victims through Microsoft Teams messages, impersonating IT staff. The messages claimed a spam filter update was required, directing recipients to a spoofed Microsoft Outlook update website. This site was designed to appear legitimate, offering download buttons labelled as Outlook update packages.
- Victims were tricked into believing the update was genuine.
- The website provided three infection methods: AutoHotKey script, Windows batch script, and PowerShell script.
- Each method silently launched a Microsoft Edge browser in the background, loading the malicious extension without user awareness.
Extension Deployment and Backdoor Control
Once installed, the malicious Edge extension abused Chrome native messaging, a protocol intended for secure communication between browser extensions and trusted local applications. Instead, the attackers used this feature to control a Python-based backdoor, allowing them to move outside the browser’s sandbox and gain full access to the victim’s machine.
- System data collection
- Browsing files and folders
- Running arbitrary commands
- Executing PowerShell scripts
Why Chrome Native Messaging Abuse Matters
Breaking Browser Isolation
Browsers typically use sandboxing to restrict what extensions can do on a device. By leveraging Chrome native messaging, Edgecution circumvented these protections. The extension communicated directly with a Python script, enabling command execution on the host system. This method is particularly dangerous because:
- It allows attackers to operate beyond the browser’s limits.
- Traditional endpoint security tools may not detect this behaviour.
- The attack can be launched with minimal user interaction, relying on deception and social engineering.
Implications for Organisations
The campaign is linked to initial access brokers associated with the Payouts King ransomware group. This connection suggests that Edgecution could be used as a precursor to ransomware deployment, data theft, or further compromise. The use of familiar platforms like Microsoft Teams and browser extensions increases the likelihood of successful attacks, especially among organisations using Microsoft 365 and related tools.
Protecting Against Malicious Browser Extensions
Key Security Measures for Organisations
To defend against threats like Edgecution, organisations must adopt a multi-layered approach to browser and endpoint security. Here are actionable steps:
- Restrict Browser Extension Installation: Use group policy or management tools to limit which extensions can be installed on corporate devices. Only allow extensions from trusted sources.
- Monitor Microsoft Teams Activity: Educate staff about social engineering tactics. Encourage verification of unexpected IT requests via official channels.
- Verify Update Sites: Always check URLs and site legitimacy before downloading updates. Use automated scanning tools to detect spoofed sites.
- Endpoint Protection: Ensure endpoint security software can detect unusual process launches and script executions, including those initiated by browsers.
- Regular User Training: Provide ongoing training on phishing, social engineering, and safe browsing practices.
Best Practices for Microsoft 365 Environments
Many UK SMBs rely on Microsoft 365, making them potential targets for campaigns like Edgecution. To strengthen defences:
- Enable advanced threat protection in Microsoft 365.
- Monitor and restrict access to Microsoft Teams and Outlook.
- Implement conditional access policies for sensitive operations.
- Audit extension installations regularly.
Staying Ahead of Browser-Based Threats
Understanding the Evolving Risk Landscape
Browser extensions are increasingly targeted by cybercriminals due to their widespread use and access to sensitive data. The Edgecution campaign illustrates how attackers can combine social engineering and technical exploitation to bypass traditional security measures. Organisations must recognise the risk posed by seemingly innocuous extensions and act proactively.
- Review browser extension policies frequently.
- Encourage reporting of suspicious IT communications.
- Keep software and browsers updated to patch vulnerabilities.
Conclusion
The abuse of Chrome native messaging by a malicious Edge extension demonstrates a new level of sophistication in browser-based attacks. By understanding the methods used and implementing robust controls, organisations can reduce their exposure and respond effectively to emerging threats.
Originally reported by cybersecuritynews.com.
