400. Another Threat Actor Started to Use Malicious Browser Extensions

Hello everyone!

Today we'll look at a less common persistence technique used on compromised systems: Browser Extensions (T1176.001).

According to this report, the attackers used Microsoft Teams while impersonating IT staff to convince victims to visit a phishing website. These phishing sites delivered malicious scripts written in AutoHotKey, Batch, or PowerShell.

The script extracted all components of the malware, including a Python backdoor and a browser extension. It also created a scheduled task that launched Microsoft Edge with the following command-line arguments:

--user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\User Data\Recovery" --load-extension="%EXTENSION_DIR%" --no-first-run --disable-sync --headless=new

As you can see, the attackers specified an alternative user data directory (--user-data-dir) and loaded a malicious browser extension (--load-extension). These command-line arguments can be used to hunt for suspicious activity:

event_type: "processcreatewin"

AND

proc_file_path: "msedge.exe"

AND

cmdline: ("user-data-dir" AND "load-extension")

See you soon!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

082. Huniting for Malicious Browser Extensions