Thu, Jul 28, 2022
New MFA Bypass Phishing Method Uses WebView2 Applications with Hidden Keylogger
mr.d0x, a security researcher who previously released phishing tactics such as browser-in-the-browser (BitB) and utilized NoVNC to circumvent two-factor authentication (2FA), has released a new phishing attack method that exploits WebView2 applications to steal cookies and credentials. The code base utilizes a modified version of Microsoft’s WebView2 Samples repository.
WebView2 can be used to create an executable that is able to communicate with web applications similarly to a browser. This feature would improve desktop applications and make them more capable of interacting with web applications. As demonstrated in Figure 1 below, we are able to view the application running. In this instance, it displays the Microsoft login page.
Figure 1: Application Loading Office.com (Source: Kroll)
Once the user enters their credentials and authenticates successfully, a copy of the HTTP GET request that includes the cookie data is sent to the actor-controlled C2 server, shown in Figure 2. The actor can circumvent authentication and log in simply by injecting the cookies obtained into the browser on the given site, granting them full access as that user.
Note: If acted on quickly enough by the threat actor, this method is an effective way of bypassing 2FA.
Figure 2: Captured Cookies from Application (Source: Kroll)
Figure 3: User Authenticated with Cookies (Source: Kroll)
Data Exfiltration is Possible
The security researcher further mentions they were able to successfully exfiltrate all available cookies for the current user from Chrome using WebView2, although this requires some manual copying and renaming of folders. WebView2 has the functionality to launch and utilize an existing user data folder (UDF) instead of creating a new folder each time it is executed, therefore, allowing access to any earlier stored information within the directory.
Monitoring MSEDGEWEBVIEW2.EXE for Detections
The Kroll threat intelligence team analyzed the application with our detection technologies and observed the application spawning multiple “msedgewebview2.exe" processes, shown in Figure 4 below. Our intelligence team is working closely with the detection engineering team to create detections to identify this method of phishing attacks.
Figure 4: Process Tree (Source: Kroll)
We assess that this method is likely to be combined with a phishing email or contact form request, renaming the WebView application to resemble a document or PDF. When combined with the legitimate login portal presented to a victim, this would likely result in a successful exfiltration of credentials.
Upon further research, we were able to independently develop and include this in an infection chain where a malicious document (maldoc) was able to call PowerShell to download and launch the malicious WebView2 application, shown in Figure 5, utilizing limited interaction with the endpoint. The code changes made to the malicious WebView2 application, resizing the window (Figure 6), adds further credence to the login prompt where provided—thus providing another layer of social engineering to this technique.
Figure 5: Maldoc Infection Chain (Source: Kroll)
Figure 6: Demo of Maldoc Infection chain (Source: Kroll)
We are confident we are able to detect this maldoc infection chain by monitoring Office applications spawning PowerShell, downloading and executing another application. We are also able to detect a non-maldoc version utilizating .ISO and .LNK files, as actors move away from using macro enabled documents. This shift in tactics follows a change from Microsoft that is helping to prevent users being targeted by implementing the Mark-of-the-Web (MOTW) flag on documents received from an external source.
Inform and educate staff of this method of phishing attack. Instruct users to pay specific attention to the type of file that they are clicking on.
Disable the ability for unauthorized applications to be installed and or executed on the endpoint. Use application whitelisting with AppLocker or group policy settings.
Block “.exe” attachments being downloaded via mail gateway.
Phishing Never Ends
Phishing attacks are one of the most common and proven methods for threat actors to gain an initial foothold within an organization. Protecting yourself against new phishing attack techniques and tactics can become difficult as these become harder to detect and identify.
It can feel like a never-ending battle to monitor and adapt to novel techniques like this, which reinforces the need for organizations to quickly detect and confidently respond to suspicious activity. If you detect odd process executions or suspicious behaviors involving msedgewebview2.exe or other artifacts, it would be wise to kick off incident response. Kroll’s experts are available to help 24x7 via our hotlines or our contact page.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll Responder MDR
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Malware and Advanced Persistent Threat Detection
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.
24x7 Incident Response
Enlist experienced responders to handle the entire security incident lifecycle.