eGobbler, a tool which uses online advertising to spread malware, has been taking advantage of two flaws found in popular internet browsers to spread pop-ups and redirect people to malicious websites.
Detailing the attacks in a blog post, cybersecurity firm Confiant revealed that one of the flaws was found in Chrome for iOS and was subsequently patched. The other is a zero-day flaw found in the WebKit browser engine.
Whoever is behind this attack, has been at it for at least a year. That’s when security experts first noticed a malvertising campaign which displayed malicious ads on vulnerable machines. The campaigns usually last a couple of days. During that time, eGobbler buys legit ads on legit services, but changes the code to add a few malicious lines. This makes the browser perform unwanted activity, such as download a malicious payload, or redirect to a malicious website.
Browsers are usually protected from such attacks unless, as was the case here, they had a flaw which could be abused.
Cybersecurity researchers from Confiant notified the Chromium team about the vulnerability, which was since dubbed CVE-2019-5840. The team patched it in June’s Chrome version 75.
In August, the hackers started exploiting a flaw found in WebKit, the browser engine found in older Chrome versions and Apple’s Safari.
This September, this flaw was also patched, in version Safari 13.0.1.
"eGobbler's preference for desktop platforms during this period supports their latest WebKit exploit, as the 'onkeydown' event is less likely to spawn organically during mobile browsing," the researchers said. "The eGobbler group will often use CDNs [content delivery networks] for payload delivery. When available, they will leverage subdomains that look innocuous or include familiar brands," they warned.