A recent discovery by our SOC/incident response team has brought to light a concerning use of web browser notification service workers. The alarming aspect of this finding is the ability to initiate notifications, simulate user clicks, and close notifications seamlessly, all while remaining virtually undetectable to the user. This covert execution presents significant challenges in detecting and effectively mitigating such malicious activities.
Previous research has predominantly examined extensions that, once installed, generate pop-ups and leave identifiable artifacts on the disk. Our investigation, however, reveals a different approach: no extension installation is necessary. Instead, malicious actors exploit a simple “allow notification” permission prompt in the browser, initiated by the website. This method can be particularly dangerous as it leverages caching, notifications, and JavaScript to execute in the background, leaving minimal traces on a disk.
The code was heavily obfuscated, employing techniques like a rot13 array, which further raises suspicions regarding its intentions and functionality. For a detailed, step by step exploration of the investigation please follow this link. This blog aims to provide a summary of the operation, highlight the risks posed to organizations, and offer practical tips on detecting and preventing such malicious activities.
How do Malicious Actors Operate
In the incident that initiated this investigation, the user visited a website to convert a video from a URL to an MP4 file. Upon unknowingly clicking “allow” for notifications, a service worker is installed, which maintains a persistent headless browser process to listen for events and keep the malicious code running. This results in unwanted notifications appearing in the notifications menu on Windows, and as a regular OS notification in the upper right of the screen for Mac.
According to our expert, the danger is compounded by the possibility that the code may be self-sustaining. It could potentially interact with the notifications by closing ads and clicking on them automatically to inflate click rates. However, this remains a matter of debate due to the complexity and obfuscation of the code.
The Risks and Dangers for Users and Organizations
The service worker poses significant risks to users and organizations. The collection of device-specific data, heavy logging, forced errors, malvertising, and dynamic code execution collectively represent a multifaceted threat to cybersecurity. These methods can be weaponized by malicious actors to breach privacy, gather unauthorized data, and deliver harmful payloads.
Information Collection
The service worker collects detailed information about the device and user interactions with notifications. This data is device-specific and can be particularly revealing, potentially leading to privacy breaches. The collected information includes various aspects of device usage, user behavior, and interaction patterns with notifications.
Moreover, there is evidence of heavy logging that continuously sends data back to the server. This continuous data flow suggests that the amount of information being collected far exceeds what is visible in the code. Such hidden data collection activities raise serious concerns, as they can lead to unauthorized gathering and potential misuse of sensitive information.
Another critical concern is the possibility of forced errors. Malicious actors can deliberately induce errors in the device to extract specific information. This method is particularly insidious, as it exploits the natural occurrence of errors to gain unauthorized access to data. By forcing errors, attackers can bypass security measures and retrieve information about the device that would otherwise remain protected.
Malvertising
Ads pushed through notifications can also be a vector for malvertising. These advertisements often contain malicious payloads that can infect devices and potentially spread across a company’s network. Malvertising is a dangerous form of cyberattack because it leverages the trust users place in legitimate notifications to deliver harmful content. Once an infection occurs, it can rapidly propagate, leading to widespread security breaches and compromising the entire network’s safety.
Dynamic Code Execution
Finally, this service worker also puts the organization at risk due to its ability to dynamically execute code. This capability allows malicious actors to deliver harmful code at any point in time, adjusting their attack strategies in real-time. This poses a severe risk as it enables the injection of malicious scripts or the exploitation of vulnerabilities.
Detection
The defense team can effectively detect these types of malicious activities by thoroughly examining the logs that handle DNS queries and web filtering. First, identify domains that appear unusually random or suspicious, which includes the following URLs:
- iwant-show
- iwant-show?3.1.517
- iwant
- ck?
Then, implement a cookie entry check for “my.rtmark.net” to flag potential threats. A string search within the appdata/local/microsoft/edge/user data/ directory can also reveal malicious activities associated with these domains. And finally, monitor for the domains and IP addresses of the following table:
| Domain | IPv4 Addresses | Domains with Matching IPs |
| littlecdn.com | 104.22.25.116, 104.22.24.116, 172.67.10.98 | |
| my.rtmark.net | 139.45.195.8 | |
| betotodilea.com | 139.45.196.61 | |
| whoumtefie.com | 139.45.197.169 | |
| coogoanu.net | 139.45.197.226, 139.45.197.252 | |
| pepepush.net | 139.45.197.228, 139.45.197.254 | 139.45.197.228: pepepush.net, galepush.net; 139.45.197.254: pepepush.net, galepush.net |
| galepush.net | 139.45.197.228, 139.45.197.254 | 139.45.197.228: pepepush.net, galepush.net; 139.45.197.254: pepepush.net, galepush.net |
| yonmewon.com | 139.45.197.236 | |
| groapeeque.com | 139.45.197.245 | |
| duleonon.com | 139.45.197.247 | |
| amunfezanttor.com | 139.45.197.250 | 139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com |
| bouhoagy.net | 139.45.197.250 | 139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com |
| ddtvskish.com | 139.45.197.250, 139.45.197.251 | 139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com; 139.45.197.251: jouteetu.net, ddtvskish.com |
| jouteetu.net | 139.45.197.251 | 139.45.197.251: jouteetu.net, ddtvskish.com |
| rapepush.net | 139.45.197.253, 139.45.197.227 | 139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com |
| supapush.net | 139.45.197.253, 139.45.197.227 | 139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com |
| omnatuor.com | 139.45.197.253, 139.45.197.227 | 139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com |
| sr7pv7n5x.com | 172.240.83.20, 172.240.83.22, 172.240.83.21 | |
| ak.ecelotsigno.net | 23.223.17.164, 23.223.17.167 | |
| wighingly.com | 54.197.252.238 | |
| pushpong.net | 82.192.85.249 | 82.192.85.249: pushpong.net, lalapush.com, pushimg.com |
| lalapush.com | 82.192.85.249 | 82.192.85.249: pushpong.net, lalapush.com, pushimg.com |
| pushimg.com | 82.192.85.249 | 82.192.85.249: pushpong.net, lalapush.com, pushimg.com |
| voonoga.net | ||
By analyzing logs for random domains, implementing cookie entry checks, performing string searches, and consulting this table of known malicious domains, the defense team can significantly enhance their detection capabilities.
Prevention
To prevent these malicious activities, organizations should consider three key strategies:
- User Education: This is crucial. Educate users about the risks of allowing notifications from untrusted websites. Train them to recognize suspicious sites and to think critically before enabling notifications. This simple step can significantly reduce the likelihood of falling victim to these malicious activities.
- Network-level Blocking: Implement policies to restrict access to potentially harmful websites, especially in sensitive network segments. This can prevent the initial compromise that often leads to more serious security incidents.
- Proactive Blocking: Use the list of problematic URLs, domains, and IP addresses we’ve identified to proactively block these at the network level. This can intercept malicious activities before they impact your system, enhancing overall cybersecurity resilience.
Conclusion
The abuse of the web browser notification service worker is a sophisticated tactic employed by malicious actors to deliver ads and potentially harmful code. The risks extend beyond simple annoyance, posing significant threats to both individual users and organizations. By understanding how these attacks operate, recognizing the signs, and implementing robust detection and prevention measures, defense teams can mitigate these risks and safeguard their networks from such malicious activities.
Author: Michel Verbel
We would like to thank Amadeus Konopko and Ryan Ackroyed for participating in the investigation, Patrick Spizzo for code review and Andréanne Bergeron for further writing and reviewing.
