Malicious Edge Extension 'Edgecution' Used in Ransomware Attack

Q: What is Edgecution malware and how does it work?

Edgecution malware is a malicious Microsoft Edge extension linked to Payouts King ransomware attacks. It abuses the Chrome Native Messaging protocol to reach a native host application on the endpoint, effectively bridging from the browser into a native process.

Q: How was Edgecution deployed?

Edgecution was deployed through a fake Microsoft 'Outlook Updates Management Console' presented as an IT support update on a fraudulent page.

Q: Why is Edgecution significant in the industry?

Edgecution highlights the importance of robust security measures in the adult industry, where sensitive data is often handled. The use of malicious browser extensions and native messaging abuse can provide a backdoor into systems, allowing attackers to steal data or disrupt operations.

Q: What precautions should be taken against Edgecution?

Organizations should strengthen monitoring of browser extensions and enforce strict controls over native messaging host configurations to reduce the risk of compromise, as advised by researchers at Zscaler.

The Edgecution malware, linked to Payouts King ransomware attacks, abuses Chrome Native Messaging protocol and poses as a Microsoft IT support update. It communicates with C2 servers and deploys a Python backdoor.

A malicious Microsoft Edge extension dubbed 'Edgecution' has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor. The extension abuses the Chrome Native Messaging protocol to reach a native host application on the endpoint, effectively bridging from the browser into a native process.

What Happened

The Edgecution malware is linked to Payouts King ransomware attacks and was deployed through a fake Microsoft "Outlook Updates Management Console" presented as an IT support update. The attackers posed as corporate IT personnel on Microsoft Teams, directing employees to the fraudulent page under the pretense of installing a spam filter update.

Once installed, the Edgecution extension communicates with a command-and-control (C2) server over WebSockets and receives instructions for execution. It then relays privileged commands to a Python 3.13.3 distribution acting as the native backdoor, which can execute arbitrary code, write files, launch processes, and gather system information.

Background and Context

Native Messaging is a legitimate feature in Chrome and Edge that allows extensions to interact with locally installed native host applications. However, when abused by malicious actors, it can provide a bridge from the browser into a native process on the endpoint, effectively operating like regular malware.

Browser-based attacks have become increasingly sophisticated, and this technique illustrates the evolving tactics of threat actors tied to ransomware operations. The researchers at Zscaler warn that organizations should strengthen monitoring of browser extensions and enforce strict controls over native messaging host configurations to reduce the risk of compromise.

Why it Matters to the Industry

The Edgecution malware highlights the importance of robust security measures in the adult industry, where sensitive data is often handled. The use of malicious browser extensions and native messaging abuse can provide a backdoor into systems, allowing attackers to steal data or disrupt operations.

Adult-industry platforms and operators must be vigilant in monitoring their systems for suspicious activity and implementing strict controls over extension installations and native messaging configurations. This includes regular security audits, employee education on phishing and social engineering tactics, and the use of reputable on-demand scans to detect unauthorized extensions or policy enforcement.

What Comes Next

Zscaler's report provides a list of indicators of compromise (IoCs) that include command and control servers used by Edgecution, hashes for the malicious extension, and the Python backdoor. Organizations are advised to review their systems for any signs of compromise and take immediate action to remediate the issue.

The researchers also recommend that organizations implement robust security measures, including extension allowlisting, blocking developer mode extension loading, and enforcing strict controls over native messaging host configurations. By taking proactive steps to secure their systems, adult-industry platforms and operators can reduce the risk of compromise and protect sensitive data.

Key Facts

The Edgecution malware is linked to Payouts King ransomware attacks.
The extension abuses Chrome Native Messaging protocol to reach a native host application on the endpoint.
The attackers posed as corporate IT personnel on Microsoft Teams to deploy the malware.
The Edgecution extension communicates with a C2 server over WebSockets and receives instructions for execution.
The Python backdoor can execute arbitrary code, write files, launch processes, and gather system information.