Steganography at Scale
Microsoft has dismantled a long running malicious extension operation on the Edge Add ons store, known as StegoAd, which affected up to 2.6 million users. The 119 extensions, including ad blockers, VPNs, and translators, appeared legitimate and earned positive reviews. The malicious code remained dormant until passing multiple evasion checks, including a multi day delay and server side validation, before activating to steal credentials and conduct ad fraud.
Hidden Payloads and Evasion Techniques
The operation used steganography to hide executable code inside image and font files. Early variants appended JavaScript after the IEND marker of PNG icons, later moving to WebP images and WOFF2 font files. Some extensions fetched a normal looking image from a command and control server, decoding it through layers of case swaps, Base64, and XOR operations. The C2 server only served the real payload to requests passing specific fingerprints, returning empty decoy responses to researchers.
The Real Damage
Beyond ad fraud through injected ads and hijacked affiliate commissions on platforms like Amazon and eBay, the payloads contained a remote code execution backdoor that ran arbitrary JavaScript. The extensions also stole Google credentials, second factor codes at sign in, harvested WordPress admin logins, and exfiltrated cookies for session hijacking. Microsoft identified more than ten C2 domains with automatic failover, with traffic proxied through Cloudflare Workers and GitHub Pages. The full list of extension IDs is available in Microsoft’s technical report, and users should check their installed extensions against it, change passwords, and enable hardware backed two factor authentication.
Source: The Hacker News
