Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker, engineered to conduct tech support scams. The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (Browlock).[1]
This redirection mechanism, in turn, uses steganographic tricks to conceal the JavaScript code within a PNG image that is served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is used. Steganography is the art and science of hiding information within another message or object so that it is not noticeable to the casual observer. It differs from cryptography, which scrambles the information to make it unreadable without a key. Steganography can be used for various purposes, such as secret communication, watermarking, authentication, or covert operations.
WoofLocker is also known as 404Browlock because visiting the rowlock URL directly without the appropriate redirection or one-time session token results in a 404 error page.
Researchers’ latest analysis shows that the campaign is still ongoing. "The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts," Jérôme Segura, director of threat intelligence at Malwarebytes, said. "It is just as difficult to reproduce and study the redirection mechanism now as it was then, especially in light of new fingerprinting checks" to detect the presence of virtual machines, certain browser extensions, and security tools.
Most sites loading WoofLocker are adult websites, with the infrastructure using hosting providers in Bulgaria and Ukraine that give the threat actors stronger protection against takedowns. The primary goal of browser lockers is to get targeted victims to call for assistance to resolve (non-existent) computer problems and gain remote control over the computer to draft an invoice that recommends that affected individuals to pay for a security solution to address the problem. "Third-parties handle this via fraudulent call centers," Segura noted in 2020. "The threat actor behind the traffic redirection and browlock will get paid for each successful lead."
The exact identity of the threat actor remains unknown and there is evidence preparations for the campaign have been underway as early as 2017. "Unlike other campaigns that rely on purchasing ads and playing whack-a-mole with hosting providers and registrars, WoofLocker is a very stable and low-maintenance business," Segura said. "The websites hosting the malicious code have been compromised for years while the fingerprinting and browser locker infrastructure appears to be using solid registrar and hosting providers."
The disclosure comes as the company detailed a new malvertising infection chain that involves using bogus ads on search engines to direct users searching for remote access programs and scanners to booby-trapped websites that lead to the deployment of stealer malware.
What sets this campaign apart is its ability to fingerprint visitors using the WEBGL_debug_renderer_info API to gather the victim's graphics driver properties to sort real browsers from crawlers and virtual machines and exfiltrate the data to a remote server to determine the next course of action. "By using better filtering before redirecting potential victims to malware, threat actors ensure that their malicious ads and infrastructure remain online longer," Segura said. "Not only does it make it more difficult for defenders to identify and report such events, it also likely impacts takedown actions."
The development also follows new research, which found that websites belonging to US government agencies, leading universities, and professional organizations have been hijacked over the last five years and used to push scam offers and promotions via "poison PDF" files uploaded to the portals.
Many of these scams are aimed at children and attempt to trick them into downloading apps, malware, or submitting personal details in exchange for non-existent rewards in online gaming platforms such as Fortnite and Roblox.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/08/wooflocker-toolkit-hides-malicious.html
Comments