400. Another Threat Actor Started to Use Malicious Browser Extensions
Hello everyone! Today we'll look at a less common persistence technique used on compromised systems: Browser Extensions (T1176.001) . According to this report , the attackers used Microsoft Teams while impersonating IT staff to convince victims to visit a phishing website. These phishing sites delivered malicious scripts written in AutoHotKey, Batch, or PowerShell. The script extracted all components of the malware, including a Python backdoor and a browser extension. It also created a scheduled task that launched Microsoft Edge with the following command-line arguments: --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\User Data\Recovery" --load-extension="%EXTENSION_DIR%" --no-first-run --disable-sync --headless=new As you can see, the attackers specified an alternative user data directory (--user-data-dir) and loaded a malicious browser extension (--load-extension). These command-line arguments can be used to hunt for suspicious activity: event_type: "proce...