I don’t have to tell you how big this threat is — browsers and browser plugins are a key element of anyone with a computer. A great example is showcased with The Browser Exploitation Framework Project, also known as BeEF. BeEF is a penetration test tool focused on web browsers — one of the biggest client-side attack vectors out there — which illuminates the exploitability quite well.
Skimming has morphed since 2018. A common way this technique is used today is by replacing bitcoin addresses with the attacker’s address on a benign website as we saw with the Lazarus group in the past few years.
Although operating on a benign website allows for wide dissemination, it is limited in scope compared with a server over which you maintain full control. If the attacker can make the user come to them, they’ve got home-court advantage. This allows for a significantly larger impact for the attacker. Once the victims land on their turf, the attacker can make them download malware, retrieve information from their browsing session, and perform many other malicious activities.
A classic way to do this is to create a transparent iframe on top of a legitimate one, giving the users a false sense of security when they click on it. This iframe redirects the users to the attacker-controlled server where the attackers can run their myriad malicious activities.
HTML code excerpt of The New York Times website (https://www.nytimes.com/) on February 2, 2022
Akamai Enterprise Threat Protector secure web gateway (SWG) is composed of different engines scanning the traffic in real time. It is also connected to our threat intelligence and enriched by our custom algorithms.
Let’s zoom inside the red box labeled “JS Models”:
The DB also contains the test set, which is basically the last few days of traffic that we see over the proxy.
Model for real-time detection
Threat intelligence enrichment by machine learning model
To be able to detect them, we integrated our logic in a model inspired by JStap, which runs on the abstract syntax tree, a tree representation of the code, which is how we get around this technique.
A machine learning model can provide better accuracy than YARA rules. However, deploying it on the edge for real-time scanning is challenging. So, we landed somewhere in between. Our model is trained with the same training set, scans the traffic offline (on the Azure Machine Learning environment) and fills the threat intelligence with what it finds.
The threat intelligence is checked on every connection to the SWG — that way customers benefit from the machine learning model detection.
Seeing it in action — a case study
This domain, as of March 10 2022, was showing 0 detections on VT.
One of them hxxps://myprintscreen[.]com/soft/myp0912.exe, which has been now commented in the code, is actually downloading a Trojan (4a6ffa02ff7280e00cf722c4f2235f0e318e6cc8a2b9968639ba715f1a38c834), which has 23 detections on VT. There were some other URLs flagged as malicious by many vendors on VT.
Same mechanism has been detected on penis-photo.blogspot[.]com.br (on March 10) or mateyhderesa[.]blogspot.com (on March 13), playboy-college-girls.blogspot.sk (March 14).