Browser Session Hijacking
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege
and/or high-integrity/administrator rights.
Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)
Procedure Examples |
|
Name | Description |
---|---|
TrickBot |
TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: Microsoft Totbrick Oct 2017)(Citation: Trend Micro Trickbot Nov 2018) |
Dridex |
Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.(Citation: Dell Dridex Oct 2015) |
Carberp |
Carberp has captured credentials when a user performs login through a SSL session.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010) |
Melcoz |
Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background.(Citation: Securelist Brazilian Banking Malware July 2020) |
Agent Tesla |
Agent Tesla has the ability to use form-grabbing to extract data from web data forms.(Citation: Bitdefender Agent Tesla April 2020) |
Grandoreiro |
Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
QakBot |
QakBot can use advanced web injects to steal web banking credentials.(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021) |
Cobalt Strike |
Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020) |
Cobalt Strike |
Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.(Citation: cobaltstrike manual) |
IcedID |
IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020) |
Chaes |
Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.(Citation: Cybereason Chaes Nov 2020) |
Ursnif |
Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).(Citation: TrendMicro BKDR_URSNIF.SM) |
Mitigations |
|
Mitigation | Description |
---|---|
User Training |
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Man in the Browser Mitigation |
Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique. Close all browser sessions regularly and when they are no longer needed. |
Detection
This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for Process Injection against browser applications.
References
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.
- Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.
- Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.
- Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
- Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
- Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
- Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.
- Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
Связанные риски
Риск | Связи | |
---|---|---|
Утечка информации
из-за
возможности атаки Man in the Browser
в браузере
Конфиденциальность
Раскрытие информации
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.