Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Browser Locker Downloads and Decodes Itself On the Fly to Avoid Detection
#1
https://news.softpedia.com/news/browser-...pd_related        Browser Locker Downloads and Decodes Itself On the Fly to Avoid Detection
Scammers use new obfuscation method to deceive victims
Nov 7, 2018 00:09 GMT  ·  By Sergiu Gatlan ·                  
Tech support scam alert
A new browser lock obfuscation technique which makes it possible for tech support scams to lock their victims' web browsers while at the same time completely avoiding detection has been observed in the wild by Malwarebytes' Jérôme Segura.

Browser lockers are a type of malicious attack designed to completely lock the victim's web browser, denying access to the desktop or blocking navigation to other websites.

This allows the bad actors behind it to induce a state of urgency, persuading the victim to call a tech support scam number, to pay a ransom, or to install a maliciously crafted extension that could drop a malware payload.

Unlike many of its brethren, the new browser locker discovered by Segura does not reside in the page designed to bait the victim, obfuscating itself using an ingenious new method instead of the run-of-the-mill BASE 64 or hex encoding employed by scammers who want to hide their tools from prying eyes.

To be more exact, this new browser locker Segura found in the wild takes obfuscation to another level by loading its code from another location and not having it included in the browlock's main page.

The browlock state is triggered after downloading, decoding, and executing the browser locker on the fly
Moreover, after the browser lock page is loaded, the browser loads the Zepto.js JavaScript library featuring a mostly jQuery-compatible API and the base64.min.js library used to decode Base64 encoded content in real time.

The browser locker code is loaded using a GET request from the source.php file stored on the same server as the main scam page, decoded into memory and executed by the web browser, triggering a browlock state.

"There is no denying that crooks are once again trying to play cat and mouse with defenders," says Segura. "Perhaps as a tongue-in-cheek gesture, they even created a bogus Google Analytics tracker ID: gtag(‘config’, ‘UA-8888888-x’), in addition to using the maps-google[.]us Google look-alike domain."

Even if users fall to these scams, they should know that they are not at all dangerous and most if not all of them can be dismissed by killing the web browser process using the operating system's process manager.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection Bjyda 0 1,630 03-13-2021 , 12:03 AM
Last Post: Bjyda
  How to Avoid the New Astaroth Malware That's Hitting Windows sidemoon 0 1,575 03-26-2020 , 10:38 PM
Last Post: sidemoon
  Why Steam users often fall victims to scams and frauds and how to avoid it. sidemoon 0 1,743 03-07-2020 , 05:29 PM
Last Post: sidemoon
  Malware Coders Find the Perfect Technique to Help RATs Avoid Detection baziroll 0 2,546 04-22-2016 , 10:25 PM
Last Post: baziroll



Users browsing this thread: 1 Guest(s)