eGobbler Malvertiser Uses WebKit Exploit to Infect Over 1 Billion Ads

[steven36]

Roughly 1.16 billion ad impressions have been hijacked in a malvertising campaign operated by a threat group dubbed eGobbler to redirect potential victims to malicious payloads, between August 1 and September 23.

 

 

The group was previously observed by Confiant researchers in April while using a Chrome for iOS exploit to circumvent the browser's built-in pop-up blocker to deliver fake ads to 500 million sessions of users from the U.S. and multiple European Union countries in under a week.

 

While eGobbler's operations were previously focused on iOS devices, this time around, they targeted Windows, Linux, and macOS desktop devices in another extensive series of malvertising attacks.

 

 

eGobbler attacks by OS and browsers

The WebKit exploit

Confiant's researchers found that the new campaign switched to a whole new exploit payload similar to the one used to target iOS users but with a new modus operandi designed to abuse WebKit browsers in a whole new way.

 

"This time around however, the iOS Chrome pop-up was not spawning as before, but we were in fact experiencing redirections on WebKit browsers upon the 'onkeydown' event," found the researchers.

"The nature of the bug is that a cross-origin nested iframe is able to 'autofocus' which bypasses the 'allow-top-navigation-by-user-activation' sandbox directive on the parent frame."

 

 

 

De-obfuscated PoC used in the attacks

 

Once the inner frame get focused automatically, the 'keydown' event gets activated by the user as a navigation event, which renders the ad sandboxing feature that should block the redirects completely useless.

 

"Also noteworthy is that the campaign behind this payload had specifically targeted some web applications with text areas and search forms in order to maximize the chances of hijacking these keypresses," also discovered Confiant.

 

The Chrome team answered in under an hour on August 7 after receiving a bug report regarding this WebKit exploit being used in the wild, while Apple's security team got back with an answer two days later, on August 12, stating that the issue is under investigation.

 

Chrome received a patch on August 12, while Apple fixed it in iOS 13 on September 19 and in Safari 13.0.1 on September 24.

 

"eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing," also found Confiant.

 

 

eGobbler activity in August and September

 

This shows a radical change in the group's targeting behavior since, based on previous activity, they were only focused on delivering malicious payloads to mobile devices.

During their latest series of attacks, the eGobbler threat actors were seen using several content delivery network (CDNs) to delivery their payloads and switching to subdomains designed to look harmless whenever possible.

 

The eGobbler campaigns that targeted iOS and desktop were not the first observed by Confiant, with another campaign run by the ScamClub group that managed to hijack roughly 300 million iOS user sessions to redirect them to adult content and gift card scams having been observed in November 2018.

 

However, as Confiant said in their April report, "This really was a standout campaign compared to the others that we track based not only on the unique payload, but the volumes as well."

 

A list of indicators of compromise (IOCs) including some of the CDN endpoints used by eGobbler to deliver their malicious payloads is available at the end of Confiant's report.

 

Source