Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

A recent discovery by our SOC/incident response team has brought to light a concerning use of web browser notification service workers. The alarming aspect of this finding is the ability to initiate notifications, simulate user clicks, and close notifications seamlessly, all while remaining virtually undetectable to the user. This covert execution presents significant challenges in detecting and effectively mitigating such malicious activities.

Previous research has predominantly examined extensions that, once installed, generate pop-ups and leave identifiable artifacts on the disk. Our investigation, however, reveals a different approach: no extension installation is necessary. Instead, malicious actors exploit a simple « allow notification » permission prompt in the browser, initiated by the website. This method can be particularly dangerous as it leverages caching, notifications, and JavaScript to execute in the background, leaving minimal traces on a disk.

The code was heavily obfuscated, employing techniques like a rot13 array, which further raises suspicions regarding its intentions and functionality. For a detailed, step by step exploration of the investigation please follow this link. This blog aims to provide a summary of the operation, highlight the risks posed to organizations, and offer practical tips on detecting and preventing such malicious activities.

How do Malicious Actors Operate

In the incident that initiated this investigation, the user visited a website to convert a video from a URL to an MP4 file. Upon unknowingly clicking « allow » for notifications, a service worker is installed, which maintains a persistent headless browser process to listen for events and keep the malicious code running. This results in unwanted notifications appearing in the notifications menu on Windows, and as a regular OS notification in the upper right of the screen for Mac.

According to our expert, the danger is compounded by the possibility that the code may be self-sustaining. It could potentially interact with the notifications by closing ads and clicking on them automatically to inflate click rates. However, this remains a matter of debate due to the complexity and obfuscation of the code.

The Risks and Dangers for Users and Organizations

The service worker poses significant risks to users and organizations. The collection of device-specific data, heavy logging, forced errors, malvertising, and dynamic code execution collectively represent a multifaceted threat to cybersecurity. These methods can be weaponized by malicious actors to breach privacy, gather unauthorized data, and deliver harmful payloads.

Information Collection

The service worker collects detailed information about the device and user interactions with notifications. This data is device-specific and can be particularly revealing, potentially leading to privacy breaches. The collected information includes various aspects of device usage, user behavior, and interaction patterns with notifications.

Moreover, there is evidence of heavy logging that continuously sends data back to the server. This continuous data flow suggests that the amount of information being collected far exceeds what is visible in the code. Such hidden data collection activities raise serious concerns, as they can lead to unauthorized gathering and potential misuse of sensitive information.

Another critical concern is the possibility of forced errors. Malicious actors can deliberately induce errors in the device to extract specific information. This method is particularly insidious, as it exploits the natural occurrence of errors to gain unauthorized access to data. By forcing errors, attackers can bypass security measures and retrieve information about the device that would otherwise remain protected.

Malvertising

Ads pushed through notifications can also be a vector for malvertising. These advertisements often contain malicious payloads that can infect devices and potentially spread across a company’s network. Malvertising is a dangerous form of cyberattack because it leverages the trust users place in legitimate notifications to deliver harmful content. Once an infection occurs, it can rapidly propagate, leading to widespread security breaches and compromising the entire network’s safety.

Dynamic Code Execution

Finally, this service worker also puts the organization at risk due to its ability to dynamically execute code. This capability allows malicious actors to deliver harmful code at any point in time, adjusting their attack strategies in real-time. This poses a severe risk as it enables the injection of malicious scripts or the exploitation of vulnerabilities.

Detection

The defense team can effectively detect these types of malicious activities by thoroughly examining the logs that handle DNS queries and web filtering. First, identify domains that appear unusually random or suspicious, which includes the following URLs:

  • iwant-show
  • iwant-show?3.1.517
  • iwant
  • ck?

Then, implement a cookie entry check for « my.rtmark.net » to flag potential threats. A string search within the appdata/local/microsoft/edge/user data/ directory can also reveal malicious activities associated with these domains. And finally, monitor for the domains and IP addresses of the following table:

Domain IPv4 Addresses Domains with Matching IPs
littlecdn.com 104.22.25.116, 104.22.24.116, 172.67.10.98
my.rtmark.net 139.45.195.8
betotodilea.com 139.45.196.61
whoumtefie.com 139.45.197.169
coogoanu.net 139.45.197.226, 139.45.197.252
pepepush.net 139.45.197.228, 139.45.197.254 139.45.197.228: pepepush.net, galepush.net; 139.45.197.254: pepepush.net, galepush.net
galepush.net 139.45.197.228, 139.45.197.254 139.45.197.228: pepepush.net, galepush.net; 139.45.197.254: pepepush.net, galepush.net
yonmewon.com 139.45.197.236
groapeeque.com 139.45.197.245
duleonon.com 139.45.197.247
amunfezanttor.com 139.45.197.250 139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com
bouhoagy.net 139.45.197.250 139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com
ddtvskish.com 139.45.197.250, 139.45.197.251 139.45.197.250: amunfezanttor.com, bouhoagy.net, ddtvskish.com; 139.45.197.251: jouteetu.net, ddtvskish.com
jouteetu.net 139.45.197.251 139.45.197.251: jouteetu.net, ddtvskish.com
rapepush.net 139.45.197.253, 139.45.197.227 139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com
supapush.net 139.45.197.253, 139.45.197.227 139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com
omnatuor.com 139.45.197.253, 139.45.197.227 139.45.197.253: rapepush.net, supapush.net, omnatuor.com; 139.45.197.227: rapepush.net, supapush.net, omnatuor.com
sr7pv7n5x.com 172.240.83.20, 172.240.83.22, 172.240.83.21
ak.ecelotsigno.net 23.223.17.164, 23.223.17.167
wighingly.com 54.197.252.238
pushpong.net 82.192.85.249 82.192.85.249: pushpong.net, lalapush.com, pushimg.com
lalapush.com 82.192.85.249 82.192.85.249: pushpong.net, lalapush.com, pushimg.com
pushimg.com 82.192.85.249 82.192.85.249: pushpong.net, lalapush.com, pushimg.com
voonoga.net

 

By analyzing logs for random domains, implementing cookie entry checks, performing string searches, and consulting this table of known malicious domains, the defense team can significantly enhance their detection capabilities.

Prevention

To prevent these malicious activities, organizations should consider three key strategies:

  1. User Education: This is crucial. Educate users about the risks of allowing notifications from untrusted websites. Train them to recognize suspicious sites and to think critically before enabling notifications. This simple step can significantly reduce the likelihood of falling victim to these malicious activities.
  2. Network-level Blocking: Implement policies to restrict access to potentially harmful websites, especially in sensitive network segments. This can prevent the initial compromise that often leads to more serious security incidents.
  3. Proactive Blocking: Use the list of problematic URLs, domains, and IP addresses we’ve identified to proactively block these at the network level. This can intercept malicious activities before they impact your system, enhancing overall cybersecurity resilience.

Conclusion

The abuse of the web browser notification service worker is a sophisticated tactic employed by malicious actors to deliver ads and potentially harmful code. The risks extend beyond simple annoyance, posing significant threats to both individual users and organizations. By understanding how these attacks operate, recognizing the signs, and implementing robust detection and prevention measures, defense teams can mitigate these risks and safeguard their networks from such malicious activities.

Author: Michel Verbel

We would like to thank Amadeus Konopko and Ryan Ackroyed for participating in the investigation, Patrick Spizzo for code review and Andréanne Bergeron for further writing and reviewing.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

DERNIER COMMUNIQUÉ DE PRESSE

BLOGUE GOSECURE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858