[Dedime]

The code is calling out to a malicous URL for a script, downloading it, and executing the script. The malicious script from the URL is mirrored here: https://archive.is/TxFWj

Nobody has figured out exactly what it's doing quite yet, but you can paste that code into a Javascript deobfuscator and try to figure it out yourself: https://lelinhtinh.github.io/de4js/

Based off of reading the code for 5 minutes with my very poor javascript skills, it's modifying your searches via Google / Bing and redirecting you to a practically unknown search engine called "Blacksearch". Very suspicious. I found a reddit thread with others complaining about this search engine, https://old.reddit.com/r/edge/comments/kzwb6q/redirecting_to...

[TechBro8615]

Seems like weird malware. It’s not exactly subtle if the first time I Google something after installing it, I get redirected to not-Google.

I could see this working on Karen who downloaded a coupon extension. But surely the type of person who installs an extension to force old.reddit.com will realize what’s happening almost immediately.

What is the point of malware if it can be caught so easily? This makes me wonder if maybe the dev didn’t do it on purpose. Maybe they sold it to an unscrupulous (and dumb) company, or maybe their build process is somehow infected.

[livre]

>This makes me wonder if maybe the dev didn’t do it on purpose.

I doubt this since the code is stolen from this Firefox and Chrome extension https://github.com/tom-james-watson/old-reddit-redirect but there's no acknowledgement of Edge in that GitHub project.

[TechBro8615]

That makes sense and also explains why that Reddit thread had users describing multiple extensions as the source of the same problem.

So the root issue here is effectively extension squatting on the Edge store. The attacker can simply scrape the most popular extensions in Chrome, inject malware into them, and publish them on the Edge store under the same name.

If that’s what’s happening, there is probably substantial effort behind sockpuppet publishers so that one ban won’t ban them all. But then again it also looks like an amateur operation if every extension is footprinting itself by using the same domain for the malicious redirect.

Hopefully Microsoft can clean this up with some one-off code scans for the signatures of this malware. Ban all the publishers and delete the extensions. Then, hold those names in reserve unless the creator can prove they own the same name at the Chrome store.

Long term, the ideal system might involve a verification step at registration time if the publisher name or extension name exists in the Chrome store. I think npm has been working on features in this area, as they are vulnerable to similar namesquatting vectors of malware distribution.