A sophisticated browser locker campaign that ran on high-profile pages, like Microsoft Edge's home or popular tech sites, was deactivated this week after in-depth research was published.

The actors behind it used a compromised an ad content supplier for top-tier distribution and combined targeted traffic filtering with steganography.

This mix allowed the operation to survive for at least two years, bringing victims to a tech support scam page and threat researchers to a dead end as they scratched their heads about how the redirect to the fake malware reporting page happened.

Stealthy and complex

As the name suggests, a browser locker (browlock) affects the web browser, making it unusable by redirecting it to a site that is difficult to close.

In a tech support scam, the landing page informs that malware caused the technical difficulty and provides a phone number where victims should seek help.

A browlock campaign kept hitting Microsoft users since February 2018 through malvertising on the Edge browser's start page, which is a customized version of Microsoft's MSN page.

Researchers at Confiant named it WOOF locker, while Malwarebytes calls it "404Browlock," because they would see a "404 Not Found" error message when they tried to check the redirect page manually.

Although the scam is simple, the delivery method is what made it stand out and live for so long on large sites and even online newspapers, says Jérôme Segura, Malwarebytes security researcher.

Victims reported that they would see a warning message on a red background (similar to the one below) when they opened a website that served WOOF locker through a tainted advertisement.

Segura found that WOOF locker was present since at least December 2017 and benefited from an impressive infrastructure with more than 400 unique IP addresses.

The threat actor registered domains in the .XYZ TLD space lately and used a dictionary, with "words grabbed somewhat alphabetically" to name them.

Services from French provider OVH were used to host them recently but others, Digital Ocean and Petersburg, were spotted in the past.

Surviving for this long is unusual for a browlock campaign and it is all due to propagation techniques uncommon for this type of operation.

"Many of the sites that victims reported being on when the browlock happened contained videos, so we thought one likely vector could be video ads. This form of malvertising is more advanced than traditional malicious banners because it enables the crooks to hide their payload within media content" - Jérôme Segura

The researchers found that the fraudster relied on steganography to deliver in a PNG file extra data that was encoded.

On its own, the code in the image did nothing but it could be decrypted with JavaScript that contained keys unique to each victim.

Segura describes the technical details that kept Woof locker running for so long, explaining the anti-bot and anti-traffic functions that made researchers hit a brick wall when trying to replicate the effect reported by victims.

The JavaScript that interacted with the malformed PNG collected the video card properties of the computer host and this served to distinguish between real browsers, crawlers, and virtual machines.

This helped filter the traffic so that only regular users would be redirected to the browlock URL while investigators would get a clean PNG file that did not facilitate loading the scammer's landing page.

Supply chain compromise

Sharing findings with Confiant, Malwarebytes researchers learned how Woof locker was able to reach pages of reputable websites: a company that turns ads into widgets was compromised and had one of their scripts injected with the malicious Woof script.

This offered the final piece of the puzzle that explained the delivery method of this sophisticated browlock campaign.

When Segura first disclosed the technical details, the campaign was still active. However, immediately after he published the research and the indicators of compromise, the infrastructure supporting this browlock came tumbling down as a result of OVH action.

Not everything is down, but a large part of the infrastructure is down, including the server responsible for serving the malformed PNG image.

The same actor may be using the same tricks with other campaigns, though, or deploy new ones using different registrars and web hosting providers.

Segura believes that the actor is likely to make even more changes, though, because his research exposed operational details that can help with future detection. Malwarebytes says that fresh activity from this browlock has not been observed since January 23.

Related Articles:

Fake Windows 10 Desktop Used in New Police Browser Lock Scam

BEC Scammers’ Interest in the Real Estate Sector Rises

FBI Warns of Rise in Social Security Scams Spoofing Its Phone Number

Thousands of WordPress Sites Hacked to Fuel Scam Campaign

FBI Warns Job Applicants of Scams Using Spoofed Company Sites