Edgecution

All of the C2 servers observed by ThreatLabz have leveraged subdomains of cloudfront.net and hosted on Amazon Web Services (AWS).

These attacks typically start via social engineering through Microsoft Teams messages that impersonate a company’s IT staff.

the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.

1073Python BackdoorShell execute.

OS Version Verification Copies a PowerShell script to the clipboard that is used to set up and deploy the Edgecution malware.

Outlook Version Verification Copies a Windows batch script to the clipboard that is used to set up and deploy the Edgecution malware.

the native directory contains a single obfuscated Python script... the Python backdoor can directly access the victim’s filesystem, execute arbitrary commands, create processes, etc.

the Edgecution browser extension uses the Chrome native messaging protocol to invoke a Python backdoor that can directly access the victim’s filesystem, execute arbitrary commands, create processes, etc.

When the AutoHotKey script or clipboard content is executed, the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.

Updates Pack 5029 DownloadDownloads an obfuscated AutoHotKey script... Updates Pack 5029-2 DownloadDownloads a legitimate AutoHotKey executable... When the AutoHotKey script or clipboard content is executed...

the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.

the set up scripts set a value named AppKey in the Windows registry under HKCU\SOFTWARE\Microsoft\Edge with a hex string that is used to decrypt the strings in the Python backdoor.

The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol... We have dubbed this web browser-based malware Edgecution.

the commands will configure the environment, fix the encrypted ZIP file headers, extract relevant files, and create a scheduled task that executes Microsoft Edge.

Downloads an obfuscated AutoHotKey script... Downloads an encrypted ZIP file (with the PK magic bytes removed)... used to decrypt the strings in the Python backdoor.

The unsuspecting victim is informed they they need a spam filter update and shown a fake Microsoft website... The Edgecution browser extension disguises itself as an Edge Monitoring Agent.

This will cause Microsoft Edge to load the extension in a hidden browser window without any user prompts or warnings.

the set up scripts set a value named AppKey in the Windows registry under HKCU\SOFTWARE\Microsoft\Edge with a hex string that is used to decrypt the strings in the Python backdoor.

Updates RegistrationDisplays a form that requests the victim’s Microsoft365 / Outlook password.

110 6 Python Backdoor Retrieve a list of running processes.

1061Python BackdoorCollect and send system information.

the Python backdoor can directly access the victim’s filesystem... 108 4 Python Backdoor Write data to a specific filename / path.

Updates RegistrationDisplays a form that requests the victim’s Microsoft365 / Outlook password.

The Edgecution browser extension communicates with the C2 server over websockets.

1084Python BackdoorWrite data to a specific filename / path.