1 October 2019

EGobbler malvertiser exploits Chrome and WebKit bugs to infect more than 1B ads

EGobbler malvertiser exploits Chrome and WebKit bugs to infect more than 1B ads

Over the past six months, a threat group dubbed eGobbler has leveraged obscure browser bugs in order to bypass built-in browser protections against pop-ups and forced redirections. The first campaign was spotted by Confiant researchers in April, when the eGobbler group was using a Chrome for iOS bug (CVE-2019–5840) to circumvent the browser's built-in pop-up blocker to deliver malicious ads to 500 million sessions of users from the U.S. and EU countries. Although the bug was fixed in Chrome 75, released in June, the attackers continued to use the exploit, targeting users that failed to update their browsers.

The second campaign was observed between August 1 and September 23, 2019; while eGobbler's operations were previously focused on iOS devices, this time around, the attackers targeted Windows, Linux, and macOS desktop devices in another series of malvertising attacks. Within a span of two months, the group has compromised nearly 1.16 billion ad impressions to redirect potential victims to malicious sites.

While analyzing the payload observed in the new campaign, the researchers found that the eGobbler group has switched its tactics in the recent attacks utilising the vulnerability in WebKit-based browsers.

“This time around however, the iOS Chrome pop-up was not spawning as before, but we were in fact experiencing redirections on WebKit browsers upon the ‘onkeydown’ event”, the researchers explained.

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

During the latest campaign the eGobbler group was seen using several content delivery network (CDNs) to deliver their payloads leveraging subdomains that look innocuous or include familiar brands.

While initially the eGobbler group was focused only on iOS users in the US, the recent campaign expanded its targeting to desktop browsers and users in European countries, with most victims located in Italy. 

The Chrome team submitted a WebKit patch on August 12, while Apple fixed the bug in iOS 13 and Safari 13.0.1.

 

 

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019