- The attackers use the actual Google URL to set the previous antivirus of antivirus and to set in your browser
- This malware is only active during checkouts, making it a silent threat to online payment.
- The script opens a websocket connection for live control, which is completely invisible to the average user
A new browser-based malware campaign has surfaced, showing how the attackers are now exploiting reliable domains like Google.com, which is to bypass traditional antivirus defense.
A Report From security researchers on C/Side, this method has been triggered subtle, conditionally, and is difficult for both users and traditional security software.
It originates from a valid Oauth-related URL, but secretly executes a malicious payload with full access to the user’s browser session.
Malware hidden in plain vision
The attack begins with an embedded script in a compromised Magento-based ecommerce site, which seems to reflect a harmless Google oauth logout URL: https://accounts.gouth2/revoke.
However, this URL includes an manipulation callback parameter, which decodes and runs an obfuscated javaascript payload using Eval (Atob (…)).
The use of Google’s domain is central for deception – as the script loads from a reliable source, most of the material safety policies (CSPs) and DNS filters allow it without any question.
This script is active only under specific conditions. If the browser appears automatic or the URL contains the word “checkout”, it quietly opens a websocket connection to a malicious server. This means that this user can tailor malicious behavior for tasks.
Any payload base sent via this channel is 64-encoded, decoded, and the function of JavaScript is dynamically executed using the constitution.
The attacker can run a code from a distance in the browser in real time with this setup.
One of the primary factors affecting the efficacy of this attack is that the current market has the ability to avoid many best antivirus programs.
The argument of the script is very high and is active only under certain conditions, making it the best Android antivirus apps and static malware scanners also unlikely to detect.
They appear that JavaScript will not inspect, flag, or block the JavaScript payloads distributed through the valid Oauth flow.
DNS-based filters or firewall rules also provide limited protection, as the initial request is for Google’s legitimate domain.
In the enterprise environment, even some of the best closing point safety equipment can struggle to detect this activity if they rely too much on the domain reputation or fail to observe the dynamic script execution within the browsers.
While advanced users and cyber security teams can use material inspection proxy or behavioral analysis tools to identify these anomalies such as these, the average users are still weak.
Limiting third-party scripts, separating browser sessions used for financial transactions, and the remaining vigilance about unexpected site behavior can help reduce the risk in all short term.
