Pierluigi Paganini September 30, 2019

A recently observed a malvertising campaign carried out by a threat group dubbed eGobbler that hijacked roughly 1.16 billion ad impressions.

Researchers at Confiant observed a malvertising campaign carried out by a threat actor dubbed eGobbler hijacked roughly 1.16 billion ad impressions to redirect victims to websites hosting malicious payloads.

The campaign was observed between August 1 and September 23.

The eGobbler group was first observed by security firm Confiant in April when it was exploiting a security flaw in the Google Chrome browser to target millions of iOS users. At the time, Cofiant experts estimated that more than 500 million malicious ads had been served to iOS users.

This time eGobbler hackers extended their attacks to Windows, Linux, and macOS desktop devices.

“Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.” reads the analysis published by Confiant.

“This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.”

In recent campaign, attackers used an exploit that targets WebKit based browsers, the researchers observed redirections on WebKit browsers upon the ‘onkeydown’ event.”

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.” continues the analysis. “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

Experts also discovered that the payload used in this campaign had specifically targeted some web applications using text areas and search forms in order to maximize the chances of hijacking these keypresses.

“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” states Confiant.

Experts reported the bug to both the Chrome and Apple security teams, the latter answered within the hour while on August 9 the former responded that they were investigating.

On August 12, the Chrome team provided an update that a patch was submitted to WebKit on August 9:

Apple addressed the issue in iOS 13 on September 19 and in Safari 13.0.1 on September 24.

The analysis published by the experts includes Indicators of Compromise for the recent campaign, including a list of content delivery network (CDNs) used by eGobbler threat actor to delivery the malicious payloads.

Pierluigi Paganini

(SecurityAffairs – eGobbler, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]