Academics from Greece have prepared a new browser-based attack that can allow hackers to run malicious code in the user's browsers even after users have closed or named from the site they were infected with.
This new attack, called MarioNet, opens the door to installing giant botnets from the users. These botnets can be used for encryption encryption (cryptojacking), DDoS attacks, malicious files such as host / share, distributed passwords, proxy network creation, ad clicks, and traffic statistics, researchers say.
The MarioNet attack is an upgrade to a similar concept to create a web-based botnet described in the Puppetnet survey 1
The difference between the two is that MarioNet can survive when users close the browser tab or move away from the web page containing the malicious code.
This is possible because modern browsers now support a new API called Service Workers. This mechanism allows a website to isolate operations that provide a page's user interface from operations that handle intense computing tasks so that the web page user interface does not freeze when processing large amounts of data.
Technically, service workers are an update to an older API called web workers. But unlike web workers, a service worker who has once registered and activated can live and run on the site's background without the user continuing to browse the site that loaded the service worker.
MarioNet (a smart spelling of "marionette") exploits the powers that service workers offer in modern browsers.
The attacker consists of registering a service worker when the user lands on an attacker-controlled website and then abuses the Service Worker SyncManager interface to retain the service The worker is alive after the user navigates away.
The attack is silent and does not require any kind of user interaction because browsers do not alert users or request permission before registering a service worker. Everything happens under the browser's hood, as the user waits for the site to load, and users have no idea that sites have registered service workers, as there is no visible indicator in a browser.
Furthermore, a MarioNet attack is also disjointed from the attack point. For example, attackers can infect users on Website A, but later control all the service workers from Server B.
This allows attackers to place malicious code for a short period on high traffic sites, get a large user base, remove malicious code, but continue to control infected web browsers from another central server.
Additionally, the MarioNet attack can also continue across browser startup by abusing the Web Push API. However, this will require the attacker to obtain user permission from the infected hosts to access this API.
The subsequent botnet created through the MarioNet technique can then be used for various criminal attempts, such as encryption in encryption), DDoS attacks, malicious files hosting / sharing, distributed passwords, proxy network creation, ad clicks and traffic statistics improvement.
For example, using infected MarioNet bots for file hosting uses built-in data storage APIs that are already available in browsers that allow websites to store and retrieve files from a user's computer. This makes it possible to detect some MarioNet infections and subsequent attacks almost impossible.
Since service workers have been introduced a few years back, the MarioNet attack also works in almost all desktop and mobile browsers. The only ones that did not work were MarioNet attacks, IE (desktop), Opera Mini (mobile) and Blackberry (mobile).
In the study, the research crew also describes methods that MarioNet can avoid detecting using anti-malware browser extensions and anti-mining actions, and also presents several deposits that browsers can take.
The MarioNet attack will be presented today at the NDSS 2019 conference in San Diego, USA. More details about MarioNet are available in a related research project entitled "Master of Web Puppets: Misuse of Browsers for Continuous and Ugly Calculations", available for download in PDF format from here.
More browser coverage: