StegoAd Campaign Uncovered
Microsoft researchers have uncovered a sophisticated adware campaign, dubbed StegoAd, that involved 119 malicious Edge browser extensions. These extensions, which promised useful tools like ad blockers, VPNs, translators, and video downloaders, initially delivered basic functionality. However, they acted as sleeper agents, secretly downloading additional malware after a delay. The campaign reached an estimated 2.6 million users before Microsoft removed the offending extensions from the Edge add-on store.
Stealth Techniques and Payloads
The attackers employed advanced hiding tactics, including steganography (concealing malicious code within images) and selective activation. Only about 10% of installations actually executed the next stage malware, leaving the majority untouched to avoid detection. The delivered payloads were dangerous: ad fraud software, arbitrary JavaScript injection that stole Google credentials and two factor codes, WordPress admin logins, and session hijacking via bulk cookie exfiltration. Some extensions even reused names of legitimate extensions to build trust. The techniques are broadly applicable to any Chromium based browser.
User Safety and Response
Microsoft has provided a full list of the 119 malicious extensions with their IDs and names. Users are advised to check their browsers for any of these extensions and remove them immediately. To stay safe in the future, only install extensions from trusted developers, ignore reviews alone as unreliable, and use up to date real time security solutions that can detect and block malicious extensions and their command and control servers.
Source: Malwarebytes
