Malicious Edge extension abuses Native Messaging as bridge to malware

A malicious Microsoft Edge extension dubbed ‘Edgecution' has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor.

Access to the local system is obtained by leveraging the Chrome Native Messaging protocol that allows browser extensions to interact with native desktop applications, such as a password manager communicating with the extension to fill in web forms.

This allows the browser to launch the native application as a separate process and communicates with it over standard input/output data streams.

An Edgecution compromise begins with the attacker posing as IT support personnel on Microsoft Teams and directing employees to a fraudulent page under the pretense of installing a spam filter update.

Researchers at cloud security company Zscaler believe that Edgecution is deployed by an initial access broker (IAB) connected to the Payouts Kings ransomware operation.