Microsoft takes down over 100 malicious Edge extensions hiding malware in images and fonts

News
By published

119 Edge extensions removed under StegoAd campaign

A smartphone showing an App Store page for the Microsoft Edge web browser.
(Image credit: Zulfugar Karimov on Unsplash)
  • 119 malicious Edge extensions flew under the radar
  • They installed harmful code days after extension installation
  • It's proof that static code review is no longer sufficient

Microsoft says it has taken down 119 malicious extensions from the Edge Add-ons store after "proactive threat hunting" revealed a campaign that's been dubbed StegoAd.

As part of the program, the company also had to suspend more than 90 developer accounts associated with the dodgy activity.

Believed to have been active since at least 2021, it's believed that the malicious browser extensions had been downloaded a total of 2.6 million times.

Latest Videos From

Microsoft removes 119 'StegoAd' malicious extensions

The campaign was so broad that the extensions didn't just occupy one category: ad blockers, VPNs, video downloaders, translators and utility tools like PDF exporters were all ploys for the malicious extensions.

This particular campaign got its name from the type of tactic used – steganography is the name given to hiding malicious code inside seemingly harmless files. PNG images, SVG graphics and font files had hidden JavaScript embedded inside to bypass traditional antivirus tools and web filtering.

Once installed, Microsoft says they remained dormant for three to five days to avoid detection before going on to steal browser credentials, redirect users to malicious websites, manipulate affiliate links for financial gain, download additional malicious code and even communicate with C2 servers for updated instructions.

"The StegoAd campaign demonstrates that browser extensions remain a potent and evolving attack surface," Microsoft wrote, admitting that even its own safeguards had missed these dodgy extensions.

The report also concludes that static code review alone is no longer sufficient, because extensions and other installations can download malicious code long after they were first installed.

For developers themselves, Microsoft recommends being as clear as possible by not obscuring code, requesting only the necessary permissions to build trust, and report any suspected impersonation.

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.