Posted on February 26, 2019 at 4:04 PM
Greek academic researchers discovered a new type of a hacker attack called MarioNet. MarioNet continues to exploit web browsers even when the user leaves the infected web page. This MarioNet’s ability comes from using the Service workers – an upgraded version of API. The researches will reveal their findings today on Network and Distributed System Security Symposium in San Diego.
MarioNet was named after a version of the word “marionette”. It is actually an improvement of a similar attack method discovered in 2007. The old type of attack has also been making botnets that worked by exploiting web browsers. However, it couldn’t continue working after closing the infected website, as MarioNet apparently can.
How is this possible?
As the researchers said in their report, MarioNet works by exploiting user’s web browser API. It enables collecting large botnets from the browsers and uses them later for many malicious purposes. Some of them are cryptomining and DDoS attacking. It can use web browsers to host or share malware content, share cracking passwords or make proxy networks. It is also known to be advertising a click scam and manipulating the website traffic statistics.
The API for old websites were called Web workers. When the website loads them, they do their job in the background until the page is closed. The new Service workers are actually an improved version of Web workers. The difference is that the Service workers can stay active even if the user leaves the website. Service workers are a tool that enables the separation of two kinds of operations: ones that help in rendering user interface of a page and the other that manage complicated computational tasks, preventing the user interface from freezing. This is a feature that is very useful both for good and bad purposes.
Almost all web browsers are vulnerable to MarioNet, both the desktop and mobile versions. This is because the Service workers are a relatively new upgrade from couple of years ago. There are only three browsers that are not eligible for MarioNet: Internet Explorer for desktop, and Opera Mini and Blackberry for mobile devices.
What does MarioNet do?
While the user is waiting for the infected webpage to load, he/she is not aware that the website has been activating a Service worker. Any notification about this doesn’t exist in any of the popular browsers. After the Service worker has been activated, MarioNet starts manipulating the Service Worker SyncManager interface. That way the Service worker still stays activated and used for malicious purposes even if the user leaves the website.
In addition to this, MarioNet is also able to move to another server while maintaining the control of Server workers on the previous server. If the hackers upload a virus on a popular website with huge number of visits, it will infect lots of users. When the hackers delete the virus from the website, they will still be able to manipulate with all the Service workers they managed to get in that short period of time.
The only way the user will get any kind of notification about this is if MarioNet tries to exploit web Push API. That way it could survive browser reboots. However, in order to do this, it needs the user to grant it permission to this API.
Because of its ability to preform an attack through regular features and not through vulnerabilities, MarioNet attack is almost impossible to discover. The researchers have proposed some ways in which MarioNet possibly evades to be detected by antimalware extensions and antimining measures. They have also added some propositions for web browser developers about how to reduce the severity of MarioNet attacks.
The researches will reveal their findings on this matter today on the Network and Distributed System Security Symposium in San Diego. Until then, there is another article about MarioNet called “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computations” by Papadopoulos et al.