WoofLocker is an advanced, long-running traffic-redirection toolkit used to power tech-support scams, featuring fingerprinting, obfuscated JavaScript, and steganography to hide payloads in images. The operation has evolved since 2017, with stronger infrastructure and distinct adult vs non-adult traffic routes to push victims to browser locker pages. #WoofLocker #TechSupportScam #Steganography #Fingerprinting #JavaScript #BrowserLocker
Keypoints
- WoofLocker is distributed via a limited set of compromised websites rather than broad malvertising campaigns.
- The campaign differentiates two traffic streams (adult vs non-adult) using separate redirection URLs.
- Victim fingerprinting checks target virtualization tools, browser extensions, security software, and residential IPs to decide if a target is legitimate.
- Malicious JavaScript is loaded into the DOM from a small set of domains to load the WoofLocker framework.
- The payload is highly obfuscated and uses steganography to hide data inside PNGs and images.
- Victim data is exfiltrated back to the server as a PNG image with a unique session ID, leading to a browser locker page.
- The infrastructure has shifted to more robust hosting providers with stronger takedown resistance, with ASNs in Bulgaria and Ukraine.
MITRE Techniques
- [T1059.007] JavaScript – Malicious JavaScript embedded in the compromised websites is used to retrieve the WoofLocker framework directly into the DOM from one of a handful of domain names. (‘Malicious JavaScript embedded in the compromised websites is used to retrieve the WoofLocker framework directly into the DOM from one of a handful of domain names.’)
- [T1189] Drive-by Compromise – Contrarily to other campaigns, WoofLocker is distributed via a limited number of compromised websites. (‘Contrary to other tech support scam campaigns that often rely on malvertising as a delivery vector, we only observed WoofLocker being distributed via a limited number of compromised websites.’)
- [T1105] Ingress Tool Transfer – The malicious code connects with its fingerprinting and redirection infrastructure hosted at domain infrastructure (example portion: cdncontentstorage[.]com). (‘This code allows the threat actor to connect with their fingerprinting and redirection infrastructure, which in this case is located at cdncontentstorage[.]com.’)
- [T1027.001] Steganography – The framework uses steganography to embed data inside images. (‘…the technique that embeds data inside of images.’)
- [T1071.001] Web Protocols – Victim data is exfiltrated via PNG images over web protocols back to the server. (‘The information from victims is sent back to the server as a PNG image (the data is hidden inside thanks to steganography)’)
- [T1497] Virtualization/Sandbox Evasion – Fingerprinting checks detect VM presence and security tools to avoid analysis. (‘fingerprinting checks being done with the use of steganography… check for specific Chrome extensions (GeoEdge, Kaspersky, McAfee)’)
Indicators of Compromise
- [Domain] Infrastructure domains – cdncontentstorage[.]com, cloudgertopage[.]com and 11 more domains
- [Domain] Browser locker domains – furakelw[.]com, gopilofan[.]com and 16 more domains
Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2