Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting and web chat APIs.
In this article, we'll describe some of the tactics used by malicious JavaScript to steal information through several case studies.
The case studies show specific examples of how the malware we observed tries to evade traditional static and dynamic analysis by using obfuscation, unusual Document Object Model interactions and selective payload detonation.
We have identified campaigns that collect passwords and credit card information by using our JavaScript malware sandbox.
In our research on malicious JavaScript, we've noticed attackers using new techniques to collect and aggregate stolen information including passwords or credit card numbers.
To help detect such evasive skimmers and phishing exfiltration attacks, we've developed new techniques to analyze JavaScript to track the fine-grained information flowing through the program.
By identifying information flows that steal data, our analysis can identify when scripts send sensitive information outside of the script to attackers.
Using our information flow analysis, we have discovered some examples of exfiltration techniques attackers are using to abuse popular, legitimate cloud APIs for the purpose of exfiltrating credentials.
The malware author also encodes the exfiltration domain to avoid detection from simple static analysis and signatures.
Malware Evades Detection by Refusing to Detonate Its Payload. Obfuscation can prevent detection by most static analysis, but to evade dynamic analysis, malware can selectively detonate its payload. This is not a new phenomenon, but we are seeing specific tactics to evade analysis for JavaScript malware.
Forcing payload detonation is one of the key techniques that allows our analysis emulator to detect highly evasive JavaScript.
The malware will refuse to detonate if it is under analysis by a security crawler.
Our JavaScript malware analysis emulator uses a mixture of static and dynamic code analysis to explore the program's behavior.
Exploring the complete behavior of a normal, benign JavaScript program is difficult enough due to JavaScript's dynamic features, which can limit static analysis.
Malware authors use obfuscation and analysis evasion techniques to avoid detonating the payload when the sample is under analysis.
Our analysis technique for this research article aims to detect highly evasive malware that tries to hide from static and dynamic analysis.
After we detonate payloads, our analysis tracks the information flows that occur during program execution.
In our implementation, for each piece of data in the program we track whether it contains sensitive information, such as passwords or credit card data.
We're continuing to see JavaScript information stealers use a variety of techniques to evade detection.
In addition to using various obfuscation techniques, they increasingly use ways to evade dynamic analysis by selectively detonating their payload and also use custom loaders to further complicate the detection process.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Wed, 20 Dec 2023 11:13:04 +0000