Microsoft has dismantled a sophisticated malware operation that secretly embedded malicious code within 119 seemingly legitimate browser extensions on the official Edge Add-ons store. The campaign, identified by Microsoft as StegoAd, operated for two years and resulted in approximately 2.6 million installations.
The operation's core innovation was its evasion technique. StegoAd used steganography to hide its malicious payloads inside image files, making the extensions appear benign during both automated scans and human reviews. This clever method allowed it to present a clean code profile, effectively bypassing the store's security checks and maintaining a persistent, low-profile presence.
Once installed, the extensions deployed a dual-pronged criminal strategy. They simultaneously conducted credential theft, harvesting user login information, and operated a large-scale ad fraud scheme. This coordinated approach from a single point of infection highlights a calculated, profit-driven campaign.
The incident critically challenges assumptions about the security of "walled garden" platforms like browser extension stores. It demonstrates that adversaries who meticulously analyze and circumvent review processes can exploit these curated environments. The breach underscores that extensions from official sources cannot be automatically trusted.
In response, security administrators must treat browser extensions with the same governance rigor as other third-party software. Recommended actions include enforcing strict permission controls, maintaining approved allowlists, and monitoring network traffic for suspicious activity from browser plugins. The StegoAd campaign proves that without such measures, even vetted extensions can serve as a vector for prolonged threats.
Microsoft 成功瓦解一項精密的惡意軟件行動,該行動在官方 Edge 擴充功能商店中,秘密將惡意代碼嵌入 119 個看似合法的瀏覽器擴充功能內。這個被 Microsoft 識別為 StegoAd 的攻擊活動運作長達兩年,導致約 260 萬次安裝。
該行動的核心創新在於其規避技術。StegoAd 使用隱藏術將惡意載荷隱藏於圖像文件內,使這些擴充功能在自動化掃描和人工審查期間均呈現無害狀態。這種聰明的方法使其能展示出潔淨的代碼概覽,有效繞過商店的安全檢查,並維持持久且低調的運作。
一旦安裝成功,這些擴充功能便部署雙重犯罪策略。它們同時進行憑證竊取,收割用戶登入資訊,並營運大規模的廣告詐騙計劃。這種來自單一感染點的協同作戰,突顯了這是一場精心策劃、以牟利為目標的攻擊活動。
是次事件嚴重挑戰了關於「圍牆花園」平台(如瀏覽器擴充功能商店)安全性的假設。它證明了能夠細心分析及規避審查流程的攻擊者,可利用這些經過策劃的環境。此次安全漏洞亦強調,來自官方來源的擴充功能並不能自動被信任。
因此,安全管理員必須以與其他第三方軟件同等的嚴謹治理態度對待瀏覽器擴充功能。建議的行動包括強制實施嚴格的權限控制、維護核准的白名單,以及監控瀏覽器插件的可疑網絡流量。StegoAd 攻擊活動證明了若缺乏這些措施,即使是經過審查的擴充功能也可能成為長期威脅的載體。