Microsoft has removed 119 malware variants disguised as extensions from the Edge Add-ons store. These extensions posed as ordinary tools. Together, they had 2.6 million users. The extensions stole login credentials and 2FA codes and acted as backdoors on infected systems.
They appeared to be harmless tools: an ad blocker, a VPN, a translation tool, or a video downloader. However, the 119 discovered extensions turned out to be collectors of sensitive data or distributors of exploits for remote code execution (RCE).
Microsoft reports that it has since removed the extensions and suspended the 90 developer accounts involved. According to the tech company, detection of malicious extensions has also been improved.
What the extensions actually did
At the heart of the attack was a so-called RCE backdoor. This allowed attackers to install additional malware on compromised systems after installation. One module targeted WordPress admins, stealing login credentials and session cookies.
Google accounts were also targeted. During the login process, both passwords and 2FA codes were intercepted. This allowed attackers to easily take over the affected accounts. In addition, the extensions were used for ad fraud by injecting ads into websites.
Advice for users
Microsoft has published a list of the malicious extensions. The company advises Edge users to regularly check their installed extensions and remove any that are no longer in use or are unrecognized.