{"id":17506,"date":"2020-01-22T09:10:04","date_gmt":"2020-01-22T17:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/22\/news-11241\/"},"modified":"2020-01-22T09:10:04","modified_gmt":"2020-01-22T17:10:04","slug":"news-11241","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/22\/news-11241\/","title":{"rendered":"WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 22 Jan 2020 16:00:00 +0000<\/strong><\/p>\n<p>In the early days, practically all tech support scammers would get their own leads by doing some amateur SEO poisoning and keyword stuffing on YouTube and other social media sites. They&#8217;d then leverage their boiler room to answer incoming calls from victims.<\/p>\n<p>Today, these practices continue, but we are seeing more advanced operations with a clear separation between lead generation and actual call fulfillment. <a href=\"https:\/\/blog.malwarebytes.com\/101\/2016\/06\/truth-in-malvertising-how-to-beat-bad-ads\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Malvertising campaigns (opens in a new tab)\">Malvertising campaigns<\/a> and redirections from compromised sites to browser locker pages are owned and operated by experienced purveyors of web traffic.<\/p>\n<p>There is one particular browser locker (browlock) campaign that had been eluding us for some time. It stands apart from the others, striking repeatedly on high-profile sites, such as the Microsoft Edge Start page, and yet, eluding capture. In addition, and a first to our knowledge, the browser locker pages were built to be ephemeral with unique, time-sensitive session tokens.<\/p>\n<p>In November 2019, we started dedicating more time to investigating this campaign, but it wasn&#8217;t until December that we were finally able to understand its propagation mechanism. In this blog, we share our findings by documenting how threat actors used targeted traffic-filtering coupled with <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/12\/new-evasion-techniques-found-in-web-skimmers\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"steganography (opens in a new tab)\">steganography<\/a> to create the most elaborate browser locker traffic scheme to date.<\/p>\n<h3>A well-documented history<\/h3>\n<p>There are many public reports about this <a rel=\"noreferrer noopener\" aria-label=\"tech support scam (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/tech-support-scams-what-are-other-people-doing\/\" target=\"_blank\">tech support scam<\/a> affecting users with the same red screen template. Contrary to what some people have posted online, this is not malware, and computers aren&#8217;t infected. It is simply what we call a browser locker, or browlock for short, a <a rel=\"noreferrer noopener\" aria-label=\"social engineering technique (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/08\/social-engineering-attacks-what-makes-you-susceptible\/\" target=\"_blank\">social engineering technique<\/a> that gives the illusion of a computer virus and scares people into calling a toll-free number for assistance. Here are some examples:<\/p>\n<ul>\n<li><a rel=\"noreferrer noopener\" aria-label=\"When Searching Ebay only I get Google Chrome Critical Error (opens in a new tab)\" href=\"https:\/\/community.ebay.com\/t5\/Technical-Issues\/When-Searching-Ebay-only-I-get-Google-Chrome-Critical-Error\/td-p\/28213453\" target=\"_blank\">When Searching Ebay only I get Google Chrome Critical Error<\/a> (eBay forums)<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\"Microsoft Edge Critical Process Died Stop Code - Red Screen (opens in a new tab)\" href=\"https:\/\/answers.microsoft.com\/en-us\/edge\/forum\/all\/microsoft-edge-critical-process-died-stop-code-red\/ca2654f6-1802-4f21-b49f-14c9bdddf5fb\" target=\"_blank\">Microsoft Edge Critical Process Died Stop Code &#8211; Red Screen<\/a> (Microsoft forums)<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\"First full day using new Surface and get this \u201ccritical process died error report\u201d. Why? (opens in a new tab)\" href=\"https:\/\/www.reddit.com\/r\/Surface\/comments\/e537il\/first_full_day_using_new_surface_and_get_this\/\" target=\"_blank\">First full day using new Surface and get this \u201ccritical process died error report\u201d. Why?<\/a> (Reddit)<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\"Google Chrome Critical Error after update (opens in a new tab)\" href=\"https:\/\/forums.malwarebytes.com\/topic\/253666-google-chrome-critical-error-after-update\/?ct=1578937510\" target=\"_blank\">Google Chrome Critical Error after update<\/a> (Malwarebytes forums)<\/li>\n<\/ul>\n<p>One lengthy and epic <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/answers.microsoft.com\/en-us\/protect\/forum\/all\/im-seeing-trojanjsflafisid-detections-and-tech\/8fbe8eaf-1af0-4e76-9ab0-57828f631a5f\" target=\"_blank\">forum thread<\/a> on Microsoft&#8217;s forums describes how this browlock campaign has been afflicting the Microsoft Edge start page and even left Microsoft engineers <a rel=\"noreferrer noopener\" aria-label=\"puzzled (opens in a new tab)\" href=\"https:\/\/answers.microsoft.com\/en-us\/protect\/forum\/protect_defender-protect_scanning-windows_10\/im-seeing-trojanjsflafisid-detections-and-tech\/8fbe8eaf-1af0-4e76-9ab0-57828f631a5f?page=7&amp;messageId=3661a31c-2019-4808-a88b-283919038cc1\" target=\"_blank\">puzzled<\/a> as to where, exactly, it came from:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p>We do quite a bit of work to scan the ads we get from our exchanges, but some behave differently for certain users than they do when we do our scanning. In the future, please continue to submit feedback so we can narrow the scans on our end and potentially reproduce and remove this once and for all.<\/p>\n<\/blockquote>\n<p>This is noteworthy for a couple of reasons: First, it is quite daring to push your browlock right on Microsoft&#8217;s own start page. Second, a large part of the targeted audience for tech support scams are going to be people that use Windows&#8217; default browser and start page. To this day, this campaign is still active on the MSN portal.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_.png\" data-rel=\"lightbox-0\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41979\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/ecosystem_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_.png\" data-orig-size=\"802,477\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ecosystem_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_-300x178.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_-600x357.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_.png\" alt=\"\" class=\"wp-image-41979\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_.png 802w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_-300x178.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/ecosystem_-600x357.png 600w\" sizes=\"(max-width: 802px) 100vw, 802px\" \/><\/a><figcaption>Figure 1: Life cycle of a tech support scam campaign<\/figcaption><\/figure>\n<\/div>\n<p>This browlock was also found on many other large sites, including several online newspaper portals. For a campaign to run with such a wide distribution and for this length of time is unheard of, at least when it comes to browser lockers.<\/p>\n<h3>Cat-and-mouse game<\/h3>\n<p>Each victim report we received was more or less the same. A user would open up the MSN homepage or perhaps be browsing a popular tech portal, when all of the sudden their screen would turn red and display a warning message similar to the one shown below:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_.png\" data-rel=\"lightbox-1\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41867\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/edge1_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_.png\" data-orig-size=\"1648,879\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Edge1_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_-300x160.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_-600x320.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_.png\" alt=\"\" class=\"wp-image-41867\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_.png 1648w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_-300x160.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge1_-600x320.png 600w\" sizes=\"(max-width: 1648px) 100vw, 1648px\" \/><\/a><figcaption>Figure 2: Browlock as seen by a victim<\/figcaption><\/figure>\n<\/div>\n<p>As we&#8217;d go to manually check the page, we would be greeted with a &#8220;404 Not Found&#8221; error message, as if it were gone. For this reason, we began calling this campaign the &#8220;404Browlock.&#8221; Attempts to replay the browser locker redirection by visiting the same portals as the victims were also unsuccessful.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_.png\" data-rel=\"lightbox-2\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41868\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/edge2_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_.png\" data-orig-size=\"1200,768\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Edge2_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_-300x192.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_-600x384.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_.png\" alt=\"\" class=\"wp-image-41868\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_.png 1200w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_-300x192.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/Edge2_-600x384.png 600w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><figcaption>Figure 3: Same browlock URL but now unavailable<\/figcaption><\/figure>\n<\/div>\n<p>Most, if not all, browlock URLs can be revisited without any special user-agent or geo-location tricks. In fact, browlocks themselves aren&#8217;t typically sophisticated; their only advantage is they can iterate through hundreds or thousands of different domain names more rapidly than one can blacklist them.<\/p>\n<h3>Mapping the browser locker campaign infrastructure<\/h3>\n<p>Despite coming up empty each time, we started to build a list of indicators of compromise (IOCs) and did some retro hunting to get a better idea of the scale of this campaign.<\/p>\n<p>Most domain names are registered on the .XYZ TLD (although several other TLDs have and continue to be used) and named using dictionary words grabbed somewhat alphabetically.<\/p>\n<pre class=\"wp-block-preformatted\">2019-12-06,transfiltration[.]xyz,158.69.0[.]190,AS 16276 (OVH SAS)<br \/>2019-12-06,transmutational[.]xyz,158.69.0[.]190,AS 16276 (OVH SAS)<br \/>2019-12-06,tricotyledonous[.]xyz,158.69.0[.]190,AS 16276 (OVH SAS)<br \/>2019-12-06,triethanolamine[.]xyz,158.69.0[.]190,AS 16276 (OVH SAS)<br \/>2019-12-06,trigonometrical[.]xyz,158.69.0[.]190,AS 16276 (OVH SAS)<br \/>2019-12-06,trithiocarbonic[.]xyz,158.69.0[.]190,AS 16276 (OVH SAS)<\/pre>\n<p>The threat actor hosts, on average, six domains on each VPS server, and then rotates to new ones when they are burned. After retro hunting back to June 2019, we collected over 400 unique IP addresses.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view.png\" data-rel=\"lightbox-3\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41884\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/graph_view\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view.png\" data-orig-size=\"805,443\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"graph_view\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view-300x165.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view-600x330.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view.png\" alt=\"\" class=\"wp-image-41884\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view.png 805w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view-300x165.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/graph_view-600x330.png 600w\" sizes=\"(max-width: 805px) 100vw, 805px\" \/><\/a><figcaption>Figure 4: Graph view of domains and servers for this campaign<\/figcaption><\/figure>\n<\/div>\n<p>Looking at additional data sources, we can see that this browser locker campaign started at least in <a rel=\"noreferrer noopener\" aria-label=\"December 2017 (opens in a new tab)\" href=\"https:\/\/urlscan.io\/result\/a2bfde06-f024-4e8d-9a5f-209aa47d7b99\/\" target=\"_blank\">December 2017<\/a>. At the time, the infrastructure was located on a different hosting provider and domains used the .WIN TLD.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050.png\" data-rel=\"lightbox-4\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41886\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/as44050\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050.png\" data-orig-size=\"758,469\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"AS44050\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050-300x186.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050-600x371.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050.png\" alt=\"\" class=\"wp-image-41886\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050.png 758w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050-300x186.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/AS44050-600x371.png 600w\" sizes=\"(max-width: 758px) 100vw, 758px\" \/><\/a><figcaption>Figure 5: The earliest known instance of the browlock<\/figcaption><\/figure>\n<\/div>\n<p>Even back then, visiting the browlock URL directly (without proper redirection) would also result in a 404 page.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win.png\" data-rel=\"lightbox-5\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41888\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/urlscanio_win\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win.png\" data-orig-size=\"1080,819\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"urlscanio_win\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win-300x228.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win-600x455.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win.png\" alt=\"\" class=\"wp-image-41888\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win.png 1080w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win-300x228.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/urlscanio_win-600x455.png 600w\" sizes=\"(max-width: 1080px) 100vw, 1080px\" \/><\/a><figcaption>Figure 6: Incomplete browlock scanned by crawler<\/figcaption><\/figure>\n<\/div>\n<p>One lone artifact, an audio file (help.mp3), was <a rel=\"noreferrer noopener\" aria-label=\"indexed (opens in a new tab)\" href=\"https:\/\/www.virustotal.com\/gui\/file\/47b0178be651509cb7f3dfc4cdcb5b367e40d0eeae1276832b068204e58d21ec\/detection\" target=\"_blank\">indexed<\/a> by VirusTotal and can be played below:<\/p>\n<figure class=\"wp-block-audio\"><audio controls src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/help.mp3\"><\/audio><\/figure>\n<p>Again based on open source data, we created a rough timeline of the infrastructure the threat actors abused\u2014from where they were first spotted on Petersburg Internet to moving briefly to DigitalOcean before settling on OVH from January 30, 2019 onward.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_.png\" data-rel=\"lightbox-6\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41901\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/timeline_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_.png\" data-orig-size=\"648,400\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"timeline_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_-300x185.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_-600x370.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_.png\" alt=\"\" class=\"wp-image-41901\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_.png 648w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_-300x185.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/timeline_-600x370.png 600w\" sizes=\"(max-width: 648px) 100vw, 648px\" \/><\/a><figcaption>Figure 7: Timeline showing changes in hosting providers<\/figcaption><\/figure>\n<\/div>\n<h3>Steganography to hide redirection mechanism<\/h3>\n<p>Given that we couldn&#8217;t identify how this browlock was propagating, we figured it must be using an unconventional trick.<\/p>\n<p>Many of the sites that victims reported being on when the browlock happened contained videos, so we thought one likely vector could be video ads. This <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2015\/11\/video-ads-malvertisings-next-frontier\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"form of malvertising (opens in a new tab)\">form of malvertising<\/a> is more advanced than traditional malicious banners because it enables the crooks to hide their payload within media content.<\/p>\n<p>Once again, we spent a fair amount of time looking at video ads but still couldn&#8217;t identify the entry point. We switched our search to another type of medium but evidence was shared with us later on confirming the video ad infection vector.<\/p>\n<p>Coincidentally, we had just been studying some interesting <a rel=\"noreferrer noopener\" aria-label=\"new developments (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/12\/new-evasion-techniques-found-in-web-skimmers\/\" target=\"_blank\">new developments<\/a> with online credit card skimmers where malicious code was embedded into image files. This technique, known as steganography, is a clever way to hide artifacts from humans and scanners.<\/p>\n<p>While developing tools to identify such rogue images, we came across what we thought might be the smoking gun. We discovered a PNG file that contained obfuscated data.<\/p>\n<p>This time though, if the fraudsters were indeed using steganography, they certainly weren&#8217;t making it obvious. We identified a malformed PNG file that contained extra data after its end of file marker and looked suspicious.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_.png\" data-rel=\"lightbox-7\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41855\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/png_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_.png\" data-orig-size=\"710,732\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"PNG_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_-291x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_-582x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_.png\" alt=\"\" class=\"wp-image-41855\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_.png 710w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_-291x300.png 291w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/PNG_-582x600.png 582w\" sizes=\"(max-width: 710px) 100vw, 710px\" \/><\/a><figcaption>Figure 8: A small image hiding away data (the browlock URL)<\/figcaption><\/figure>\n<\/div>\n<p>Unlike the aforementioned credit card skimmer, which was clearly visible and recognizable with obvious character strings, this one looked like it was encoded. And clearly, the image on its own could not be weaponized without additional code to load with the per-victim unique key to decrypt it.<\/p>\n<h3>Anti-bot and traffic filtering<\/h3>\n<p>The JavaScript code that interacted with the PNG image used some light hex obfuscation and random variable naming to hide its intentions.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard.png\" data-rel=\"lightbox-8\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41970\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/videocard\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard.png\" data-orig-size=\"707,613\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"videocard\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard-300x260.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard-600x520.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard.png\" alt=\"\" class=\"wp-image-41970\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard.png 707w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard-300x260.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videocard-600x520.png 600w\" sizes=\"(max-width: 707px) 100vw, 707px\" \/><\/a><figcaption>Figure 9: JavaScript used to fingerprint users and decode the PNG<\/figcaption><\/figure>\n<\/div>\n<p>The hex string <em>x57x45x42x47x4c<\/em> decodes to <em>WEBGL<\/em>, and by decoding the rest of the obfuscated variable, we can see that this script is using the <a rel=\"noreferrer noopener\" aria-label=\"WEBGL_debug_renderer_info (opens in a new tab)\" href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/WEBGL_debug_renderer_info\" target=\"_blank\">WEBGL_debug_renderer_info<\/a> API to gather the victim&#8217;s video card properties. This allows the threat actors to sort real browsers (therefore real people) from crawlers or even virtual machines, which would not show the expected hardware information. The <a rel=\"noreferrer noopener\" aria-label=\"Zirconium (opens in a new tab)\" href=\"https:\/\/blog.confiant.com\/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85\" target=\"_blank\">Zirconium<\/a> group&#8217;s vast malvertising operation, disclosed in January 2018 by Jerome Dangu over at Confiant, also used that same API to filter traffic.<\/p>\n<p>But perhaps the most interesting function within this JavaScript snippet is the one that processes the actual PNG image behind the steganography. The <em>_Nux<\/em> function parses the image data by using the <em>@#@<\/em> delimeter (as seen in Figure 8 above) and stores it within the <em>_OIEq<\/em> variable. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function.png\" data-rel=\"lightbox-9\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41864\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/function-3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function.png\" data-orig-size=\"739,405\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"function\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function-300x164.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function-600x329.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function.png\" alt=\"\" class=\"wp-image-41864\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function.png 739w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function-300x164.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/function-600x329.png 600w\" sizes=\"(max-width: 739px) 100vw, 739px\" \/><\/a><figcaption>Figure 10: The core function responsible for the decryption of the PNG data<\/figcaption><\/figure>\n<\/div>\n<p>If the user is detected as a bot or not interesting traffic, the PNG does not contain the extra data after the IEND end of file marker, and therefore the <em>_OIEq<\/em> variable will be empty.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG.png\" data-rel=\"lightbox-10\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41971\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/clean_png\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG.png\" data-orig-size=\"643,265\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"clean_PNG\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG-300x124.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG-600x247.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG.png\" alt=\"\" class=\"wp-image-41971\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG.png 643w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG-300x124.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/clean_PNG-600x247.png 600w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><\/a><figcaption>Figure 11: A clean\/decoy PNG (for non targets)<\/figcaption><\/figure>\n<\/div>\n<p>The function still attempts to parse the PNG, but it will fail on the <em>eval<\/em>, and will not generate the browlock URL. The user, not being considered a proper candidate, will not be redirected and won&#8217;t even be aware of the fingerprinting that just happened.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data.png\" data-rel=\"lightbox-11\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41858\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/empty_data\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data.png\" data-orig-size=\"780,398\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"empty_data\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data-300x153.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data-600x306.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data.png\" alt=\"\" class=\"wp-image-41858\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data.png 780w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data-300x153.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/empty_data-600x306.png 600w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><\/a><figcaption>Figure 12: When the PNG does not contain any extra data, no browlock URL is returned<\/figcaption><\/figure>\n<\/div>\n<p>This kind of filtering is not usually seen (except for <a rel=\"noreferrer noopener\" aria-label=\"advanced malvertising operations (opens in a new tab)\" href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/The-Shadow-Knows\" target=\"_blank\">advanced malvertising operations<\/a>), which is one of the reasons why so many victims have experienced this browlock, yet little is known about it. <\/p>\n<h3>Anti-replay mechanism<\/h3>\n<p>The next evasion technique is intended for security folks, and those trying to troubleshoot these malicious redirections. A network traffic capture (SAZ, HAR) must include the malicious JavaScript, as well as the steganographic PNG and the browlock itself.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_.png\" data-rel=\"lightbox-12\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41905\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/traffic_-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_.png\" data-orig-size=\"628,141\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"traffic_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_-300x67.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_-600x135.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_.png\" alt=\"\" class=\"wp-image-41905\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_.png 628w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_-300x67.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/traffic_-600x135.png 600w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><\/a><figcaption>Figure 13: Network traffic revealing the elements behind the redirection<\/figcaption><\/figure>\n<\/div>\n<p>Similar to a technique we&#8217;ve previously only observed with exploit kits, the threat actor is using one-time tokens to prevent &#8220;artificial&#8221; replays of the redirection mechanism. If the proper session key is not provided, the decryption of the PNG data will fail to produce the browlock URL.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token.png\" data-rel=\"lightbox-13\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41859\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/token-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token.png\" data-orig-size=\"763,380\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"token\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token-300x149.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token-600x299.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token.png\" alt=\"\" class=\"wp-image-41859\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token.png 763w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token-300x149.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/token-600x299.png 600w\" sizes=\"(max-width: 763px) 100vw, 763px\" \/><\/a><figcaption>Figure 14: When the wrong key is supplied, the code fails to generate the browlock URL<\/figcaption><\/figure>\n<\/div>\n<p>Once again, we must pause for a moment and note that this kind of complexity is unheard of for something like a browser locker. While cloaking techniques are common, this is by far the most covert way we&#8217;ve seen to redirect to any browlock.<\/p>\n<h3>Other traffic chains<\/h3>\n<p>After we had discovered the PNG redirection mechanism, we shared our findings with security firm <a rel=\"noreferrer noopener\" href=\"https:\/\/www.confiant.com\/\" target=\"_blank\">Confiant<\/a>. They were aware of the domain api.imagecloudsedo[.]com but had seen it in a different campaign. Confiant nicknamed it WOOF due to a string of the same name found in the code.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script.png\" data-rel=\"lightbox-14\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42023\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/woof_script\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script.png\" data-orig-size=\"702,437\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"WOOf_script\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script-300x187.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script-600x374.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script.png\" alt=\"\" class=\"wp-image-42023\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script.png 702w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script-300x187.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/WOOf_script-600x374.png 600w\" sizes=\"(max-width: 702px) 100vw, 702px\" \/><\/a><figcaption>Figure 15: WOOF script identified by Confiant in September 2019<\/figcaption><\/figure>\n<\/div>\n<p>Additionally, Google, via Confiant&#8217;s intermediary, shared yet another instance that explains the number of redirections from newspaper sites we had been seeing. This second instance of the WOOf script was loaded via video widgets.<\/p>\n<p><a rel=\"noreferrer noopener\" aria-label=\"Digital Media Communications (opens in a new tab)\" href=\"https:\/\/digitalmediacommunications.com\" target=\"_blank\">Digital Media Communications<\/a>, a company that specializes in ads converted into widgets for the web, was apparently compromised several months ago. According to data collected by the Internet Archive, one of their scripts hosted at <em>widgets.digitalmediacommunications[.]com\/chosen\/chosen.jquery.min.js<\/em> was injected on <a rel=\"noreferrer noopener\" aria-label=\"August 13 2019 (opens in a new tab)\" href=\"https:\/\/web.archive.org\/web\/20190813170333\/http:\/\/widgets.digitalmediacommunications.com\/chosen\/chosen.jquery.min.js\" target=\"_blank\">August 13, 2019<\/a>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1.png\" data-rel=\"lightbox-15\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42006\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/injected-8\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1.png\" data-orig-size=\"996,804\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"injected\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1-300x242.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1-600x484.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1.png\" alt=\"\" class=\"wp-image-42006\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1.png 996w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1-300x242.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/injected-1-600x484.png 600w\" sizes=\"(max-width: 996px) 100vw, 996px\" \/><\/a><figcaption>Figure 16: Evidence of tampering caught via Internet Archive<\/figcaption><\/figure>\n<\/div>\n<p>A number of websites, many of them news portals, load this widget and are therefore unwittingly exposing their visitors, as the compromised library subsequently retrieves the malicious PNG from api.imagecloudsedo[.]com before redirecting to the browlock page.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" data-attachment-id=\"42008\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/videotour\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videotour.png\" data-orig-size=\"566,473\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"videotour\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videotour-300x251.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videotour.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videotour.png\" alt=\"\" class=\"wp-image-42008\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videotour.png 566w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/videotour-300x251.png 300w\" sizes=\"(max-width: 566px) 100vw, 566px\" \/><figcaption>Figure 17: Online newspaper site with compromised widget<\/figcaption><\/figure>\n<\/div>\n<p>It&#8217;s highly likely that there are other compromises of third parties that haven&#8217;t been found yet, although we suspect that the methods used would be similar to the ones we know about.<\/p>\n<h3>Examining the browser locker page<\/h3>\n<p>The following diagram depicts what needs to take place in order for victims to get redirected to the browser locker page after several layers of validation.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_.png\" data-rel=\"lightbox-16\" title=\"\"><img decoding=\"async\" data-attachment-id=\"42009\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/flow_-7\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_.png\" data-orig-size=\"828,627\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"flow_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_-300x227.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_-600x454.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_.png\" alt=\"\" class=\"wp-image-42009\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_.png 828w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_-300x227.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/flow_-600x454.png 600w\" sizes=\"(max-width: 828px) 100vw, 828px\" \/><\/a><figcaption>Figure 18: Flow showing redirection mechanism to browlock pages<\/figcaption><\/figure>\n<\/div>\n<p>Ultimately, the previously analyzed function will arrive at the <em>eval<\/em> part of the code and return code to launch the browlock.<\/p>\n<pre class=\"wp-block-preformatted\">top.location = '[browlock URL]';<\/pre>\n<p>This little bit of code redirects the current browser page to the new URL. It is, in fact, one of the most <a rel=\"noreferrer noopener\" aria-label=\"common technique (opens in a new tab)\" href=\"https:\/\/blog.confiant.com\/how-bad-ads-hijack-your-browser-with-one-simple-trick-712ad3590a13\" target=\"_blank\">common techniques<\/a> for malicious ads to redirect users to scam pages. We believe the threat actor is likely using the same trick for its other malvertising campaigns.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_.png\" data-rel=\"lightbox-17\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41977\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/browlock_-3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_.png\" data-orig-size=\"1277,716\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"browlock_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_-300x168.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_-600x336.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_.png\" alt=\"\" class=\"wp-image-41977\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_.png 1277w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_-300x168.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_-600x336.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_-900x506.png 900w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/browlock_-400x225.png 400w\" sizes=\"(max-width: 1277px) 100vw, 1277px\" \/><\/a><figcaption>Figure 19: The browlock template for Google Chrome<\/figcaption><\/figure>\n<\/div>\n<p>This browser locker is clean and contained as it obfuscates its source code and has few external dependencies, such as libraries. We can see that it uses the <a rel=\"noreferrer noopener\" aria-label=\"evil cursor (opens in a new tab)\" href=\"https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=880863\" target=\"_blank\">evil cursor<\/a>, which is a flaw that allows criminals to create a fake cursor that tricks users into clicking on the wrong area when they are trying to close a browlock.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_.png\" data-rel=\"lightbox-18\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41913\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/evilcursor_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_.png\" data-orig-size=\"959,776\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evilcursor_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_-300x243.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_-600x486.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_.png\" alt=\"\" class=\"wp-image-41913\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_.png 959w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_-300x243.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/evilcursor_-600x486.png 600w\" sizes=\"(max-width: 959px) 100vw, 959px\" \/><\/a><figcaption>Figure 20: Source code showing the fake cursor designed to interfere<\/figcaption><\/figure>\n<\/div>\n<p>While Chrome and Edge users can somewhat get rid of the offending page, on Firefox, this is a true browlock, causing the browser to eventually crash.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/FF_browlock_.gif\" data-rel=\"lightbox-19\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41996\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/ff_browlock_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/FF_browlock_.gif\" data-orig-size=\"1110,791\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"FF_browlock_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/FF_browlock_-300x214.gif\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/FF_browlock_-600x428.gif\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/FF_browlock_.gif\" alt=\"\" class=\"wp-image-41996\"\/><\/a><figcaption>Figure 21: User cannot close the browlock in Firefox<\/figcaption><\/figure>\n<\/div>\n<p>The code used to freeze the browser has been duplicated enough times to render the browser useless. In the image below, we see the same function with slightly different parameters.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate.png\" data-rel=\"lightbox-20\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41997\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/pushstate\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate.png\" data-orig-size=\"699,706\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pushstate\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate-297x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate-594x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate.png\" alt=\"\" class=\"wp-image-41997\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate.png 699w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate-297x300.png 297w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/pushstate-594x600.png 594w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><\/a><figcaption>Figure 22: Code responsible for the browlock effect<\/figcaption><\/figure>\n<\/div>\n<p>If we deobfuscate any of the functions, we recognize the <a rel=\"noreferrer noopener\" aria-label=\"history.pushState() (opens in a new tab)\" href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/History\/pushState\" target=\"_blank\">history.pushState()<\/a> method, which we <a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2016\/11\/tech-support-scammers-abuse-bug-in-html5-feature-to-freeze-computers\/\" target=\"_blank\">reported<\/a> back in 2016, and which is still not handled well by most browsers. This bug actually came to Mozilla&#8217;s attention <a rel=\"noreferrer noopener\" aria-label=\"3 years ago (opens in a new tab)\" href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1314912\" target=\"_blank\">three years ago<\/a>, and more recently when someone <a rel=\"noreferrer noopener\" aria-label=\"reported (opens in a new tab)\" href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1562245\" target=\"_blank\">reported<\/a> the same 404Browlock:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report.png\" data-rel=\"lightbox-21\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41998\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/bug_report\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report.png\" data-orig-size=\"876,231\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"bug_report\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report-300x79.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report-600x158.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report.png\" alt=\"\" class=\"wp-image-41998\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report.png 876w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report-300x79.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/bug_report-600x158.png 600w\" sizes=\"(max-width: 876px) 100vw, 876px\" \/><\/a><figcaption>Figure 23: User reporting same browlock to Mozilla<\/figcaption><\/figure>\n<\/div>\n<p>Browser lockers can be difficult to fix because they often use code that is otherwise perfectly legitimate. Browser vendors often have to juggle with performance and compatibility issues at the same time.<\/p>\n<h3>Handing victims over to tech support scammers<\/h3>\n<p>The ultimate goal for browser lockers is to get people to call for assistance to resolve (non-existent) computer problems. This is handled by third parties via fraudulent call centers. The threat actor behind the traffic redirection and browlock will get paid for each successful lead.<\/p>\n<p>To confuse victims, the fake Microsoft agent will tell you to run some commands simply intended to open up a browser window.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh.png\" data-rel=\"lightbox-22\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41972\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/hh\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh.png\" data-orig-size=\"1002,503\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"hh\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh-300x151.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh-600x301.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh.png\" alt=\"\" class=\"wp-image-41972\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh.png 1002w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh-300x151.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/hh-600x301.png 600w\" sizes=\"(max-width: 1002px) 100vw, 1002px\" \/><\/a><figcaption>Figure 24: Scammer instructing victim to run a command<\/figcaption><\/figure>\n<\/div>\n<p>From there, they will ask you to download and run a remote assistance program that will enable them to take control of your computer. A few minutes later, they will use their favorite tool, notepad, to start drafting an invoice:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment.png\" data-rel=\"lightbox-23\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41974\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/attachment\/payment-5\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment.png\" data-orig-size=\"813,624\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"payment\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment-300x230.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment-600x461.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment.png\" alt=\"\" class=\"wp-image-41974\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment.png 813w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment-300x230.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/payment-600x461.png 600w\" sizes=\"(max-width: 813px) 100vw, 813px\" \/><\/a><figcaption>Figure 25: The invoice to fix this browlock<\/figcaption><\/figure>\n<\/div>\n<p>While the machine is still supposedly infected, they will simply browse to a site to take the payment for 1 year, 3 year, or 5 year plans costing $195, $245, and $345, respectively.<\/p>\n<h3>Where do we go from here?<\/h3>\n<p>Given the level of sophistication involved in this campaign, we can expect that the threat actor has diversified their traffic to have some kind of redundancy.<\/p>\n<p>We hope that our efforts to expose this scheme will help others to identify the browlock redirections within their networks. Despite our repeated attempts to report these abuses, they have not been fixed. We remain available to OVH for closer collaboration to shut down this campaign.<\/p>\n<p>For best protection against this and other browlocks, we recommend using our free browser extension, <a rel=\"noreferrer noopener\" aria-label=\"Browser Guard (opens in a new tab)\" href=\"https:\/\/www.malwarebytes.com\/browserguard\/\" target=\"_blank\">Browser Guard<\/a>. Not only does it benefit from our domain and IP blacklist, but it can also detect and block browlocks and other tech support scams via signatureless techniques.<\/p>\n<h3>Acknowledgements<\/h3>\n<p>We would like to thank <a rel=\"noreferrer noopener\" aria-label=\"Confiant (opens in a new tab)\" href=\"https:\/\/www.confiant.com\/\" target=\"_blank\">Confiant<\/a> for sharing additional data regarding the other cases of the malicious script (_WOOf variant).<\/p>\n<p>Thanks to <a href=\"https:\/\/twitter.com\/prsecurity_\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"@prsecurity_ (opens in a new tab)\">@prsecurity_<\/a> for pointing out a quicker way to retrieve the browlock URL by RC4 decrypting the PNG data using the unique key found within the script.<\/p>\n<h3>Indicators of Compromise (IOCs)<\/h3>\n<p>There are simply too many IOCs to put here, so we&#8217;ve uploaded the browlock domains and IP addresses as a <a href=\"https:\/\/github.com\/MBThreatIntel\/TSS\/blob\/master\/woof.stix2\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">STIX2 file<\/a> onto our GitHub page. It includes data going back to June 2019 based on indicators we collected by conducting retro hunting. Please note that this is only a partial account of this campaign based on the data we could collect.<\/p>\n<p><strong>Compromised library<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">widgets.digitalmediacommunications[.]com\/chosen\/chosen.jquery.min.js<\/pre>\n<p><strong>Steganographic redirector<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">api.imagecloudsedo[.]com<br \/>141.98.81[.]198<\/pre>\n<p><strong>Regex to identify the browlock URLs<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">\/en\/?search=w?(%[w_-~.]{1,4}){10,20}&amp;list=([0-9]00000|null)$<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/\">WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 22 Jan 2020 16:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/' title='WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/shutterstock_1490489918.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We reveal the inner workings of WOOF locker, the most sophisticated browser locker campaign we&#8217;ve seen to date. Learn how this tech support scam evades researchers and ensnares users by hiding in plain sight.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/404browlock\/\" rel=\"tag\">404Browlock<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/404error\/\" rel=\"tag\">404error<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/browlock\/\" rel=\"tag\">browlock<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/browlocks\/\" rel=\"tag\">browlocks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/browser-guard\/\" rel=\"tag\">Browser guard<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/browser-locker\/\" rel=\"tag\">browser locker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/chrome\/\" rel=\"tag\">chrome<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/edge\/\" rel=\"tag\">Edge<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/firefox\/\" rel=\"tag\">firefox<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising\/\" rel=\"tag\">malvertising<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising-campaigns\/\" rel=\"tag\">malvertising campaigns<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/microsoft\/\" rel=\"tag\">microsoft<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scams\/\" rel=\"tag\">scams<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/social-engineering\/\" rel=\"tag\">Social Engineering<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/steganography\/\" rel=\"tag\">steganography<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tech-support\/\" rel=\"tag\">tech support<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tech-support-scams\/\" rel=\"tag\">tech support scams<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tss\/\" rel=\"tag\">TSS<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/woof\/\" rel=\"tag\">WOOF<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/' title='WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/01\/woof-locker-stealthy-browser-locker-tech-support-scam\/\">WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[23984,23985,17024,19502,22979,17025,10699,12616,11122,10531,23986,10516,10574,10510,11039,10536,10577,10494,10545,23987],"class_list":["post-17506","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-404browlock","tag-404error","tag-browlock","tag-browlocks","tag-browser-guard","tag-browser-locker","tag-chrome","tag-edge","tag-firefox","tag-malvertising","tag-malvertising-campaigns","tag-microsoft","tag-scams","tag-social-engineering","tag-steganography","tag-tech-support","tag-tech-support-scams","tag-threat-analysis","tag-tss","tag-woof"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17506"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17506\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17506"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}