Web Browser Notification Threat More Alarming than Expected

A recent discovery by our SOC/incident response team has brought to light a concerning use of web browser notification service workers. The alarming aspect of this finding is the ability to initiate notifications, simulate user clicks, and close notifications seamlessly, all while remaining virtually undetectable to the user. This covert execution presents significant challenges in detecting and effectively mitigating such malicious activities.

Previous research has predominantly examined extensions that, once installed, generate pop-ups and leave identifiable artifacts on the disk. Our investigation, however, reveals a different approach: no extension installation is necessary. Instead, malicious actors exploit a simple « allow notification » permission prompt in the browser, initiated by the website. This method can be particularly dangerous as it leverages caching, notifications, and JavaScript to execute in the background, leaving minimal traces on a disk.

The code was heavily obfuscated, employing techniques like a rot13 array, which further raises suspicions regarding its intentions and functionality. For a detailed, step by step exploration of the investigation please follow this link. This blog aims to provide a summary of the operation, highlight the risks posed to organizations, and offer practical tips on detecting and preventing such malicious activities.

How do Malicious Actors Operate

In the incident that initiated this investigation, the user visited a website to convert a video from a URL to an MP4 file. Upon unknowingly clicking « allow » for notifications, a service worker is installed, which maintains a persistent headless browser process to listen for events and keep the malicious code running. This results in unwanted notifications appearing in the notifications menu on Windows, and as a regular OS notification in the upper right of the screen for Mac.

According to our expert, the danger is compounded by the possibility that the code may be self-sustaining. It could potentially interact with the notifications by closing ads and clicking on them automatically to inflate click rates. However, this remains a matter of debate due to the complexity and obfuscation of the code.

The Risks and Dangers for Users and Organizations

The service worker poses significant risks to users and organizations. The collection of device-specific data, heavy logging, forced errors, malvertising, and dynamic code execution collectively represent a multifaceted threat to cybersecurity. These methods can be weaponized by malicious actors to breach privacy, gather unauthorized data, and deliver harmful payloads.

Information Collection

The service worker collects detailed information about the device and user interactions with notifications. This data is device-specific and can be particularly revealing, potentially leading to privacy breaches. The collected information includes various aspects of device usage, user behavior, and interaction patterns with notifications.

Moreover, there is evidence of heavy logging that continuously sends data back to the server. This continuous data flow suggests that the amount of information being collected far exceeds what is visible in the code. Such hidden data collection activities raise serious concerns, as they can lead to unauthorized gathering and potential misuse of sensitive information.

Another critical concern is the possibility of forced errors. Malicious actors can deliberately induce errors in the device to extract specific information. This method is particularly insidious, as it exploits the natural occurrence of errors to gain unauthorized access to data. By forcing errors, attackers can bypass security measures and retrieve information about the device that would otherwise remain protected.

Malvertising

Ads pushed through notifications can also be a vector for malvertising. These advertisements often contain malicious payloads that can infect devices and potentially spread across a company’s network. Malvertising is a dangerous form of cyberattack because it leverages the trust users place in legitimate notifications to deliver harmful content. Once an infection occurs, it can rapidly propagate, leading to widespread security breaches and compromising the entire network’s safety.

Dynamic Code Execution

Finally, this service worker also puts the organization at risk due to its ability to dynamically execute code. This capability allows malicious actors to deliver harmful code at any point in time, adjusting their attack strategies in real-time. This poses a severe risk as it enables the injection of malicious scripts or the exploitation of vulnerabilities.

Detection

The defense team can effectively detect these types of malicious activities by thoroughly examining the logs that handle DNS queries and web filtering. First, identify domains that appear unusually random or suspicious, which includes the following URLs:

• iwant-show
• iwant-show?3.1.517
• iwant
• ck?

Then, implement a cookie entry check for « my.rtmark.net » to flag potential threats. A string search within the appdata/local/microsoft/edge/user data/ directory can also reveal malicious activities associated with these domains. And finally, monitor for the domains and IP addresses of the following table:

Domain	IPv4 Addresses	Domains with Matching IPs
littlecdn.com	104.22.25.116, 104.22.24.116, 172.67.10.98
my.rtmark.net	139.45.195.8
betotodilea.com	139.45.196.61
whoumtefie.com	139.45.197.169
coogoanu.net	139.45.197.226, 139.45.197.252
pepepush.net	139.45.197.228, 139.45.197.254	139.45.197.228: pepepush.net, galepush.net; 139.45.197.254: pepepush.net, galepush.net
galepush.net	139.45.197.228, 139.45.197.254	139.45.197.228: pepepush.net, galepush.net; 139.45.197.254: pepepush.net, galepush.net
yonmewon.com	139.45.197.236
groapeeque.com	139.45.197.245
duleonon.com	139.45.197.247
amunfezanttor.com	139.45.197.250	139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com
bouhoagy.net	139.45.197.250	139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com
ddtvskish.com	139.45.197.250, 139.45.197.251	139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com; 139.45.197.251: jouteetu.net, ddtvskish.com
jouteetu.net	139.45.197.251	139.45.197.251: jouteetu.net, ddtvskish.com
rapepush.net	139.45.197.253, 139.45.197.227	139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com
supapush.net	139.45.197.253, 139.45.197.227	139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com
omnatuor.com	139.45.197.253, 139.45.197.227	139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com
sr7pv7n5x.com	172.240.83.20, 172.240.83.22, 172.240.83.21
ak.ecelotsigno.net	23.223.17.164, 23.223.17.167
wighingly.com	54.197.252.238
pushpong.net	82.192.85.249	82.192.85.249: pushpong.net, lalapush.com, pushimg.com
lalapush.com	82.192.85.249	82.192.85.249: pushpong.net, lalapush.com, pushimg.com
pushimg.com	82.192.85.249	82.192.85.249: pushpong.net, lalapush.com, pushimg.com
voonoga.net

 

By analyzing logs for random domains, implementing cookie entry checks, performing string searches, and consulting this table of known malicious domains, the defense team can significantly enhance their detection capabilities.

Prevention

To prevent these malicious activities, organizations should consider three key strategies:

1. User Education: This is crucial. Educate users about the risks of allowing notifications from untrusted websites. Train them to recognize suspicious sites and to think critically before enabling notifications. This simple step can significantly reduce the likelihood of falling victim to these malicious activities.
2. Network-level Blocking: Implement policies to restrict access to potentially harmful websites, especially in sensitive network segments. This can prevent the initial compromise that often leads to more serious security incidents.
3. Proactive Blocking: Use the list of problematic URLs, domains, and IP addresses we’ve identified to proactively block these at the network level. This can intercept malicious activities before they impact your system, enhancing overall cybersecurity resilience.

Conclusion

The abuse of the web browser notification service worker is a sophisticated tactic employed by malicious actors to deliver ads and potentially harmful code. The risks extend beyond simple annoyance, posing significant threats to both individual users and organizations. By understanding how these attacks operate, recognizing the signs, and implementing robust detection and prevention measures, defense teams can mitigate these risks and safeguard their networks from such malicious activities.

Author: Michel Verbel

We would like to thank Amadeus Konopko and Ryan Ackroyed for participating in the investigation, Patrick Spizzo for code review and Andréanne Bergeron for further writing and reviewing.