A new browser-based malware campaign has emerged, revealing a sophisticated technique employed by attackers to exploit trusted domains, such as Google.com, in order to circumvent traditional antivirus defenses. According to a report from security researchers at c/side, this method is not only subtle but also conditionally triggered, making it challenging for users and conventional security software to detect.
The malware operates through an e-commerce site that references a seemingly innocuous Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke. However, this URL contains a manipulated callback parameter, which decodes and executes an obfuscated JavaScript payload using the eval(atob(…)) function. The strategic use of Google’s domain plays a crucial role in the deception; since the script loads from a trusted source, most content security policies (CSPs) and DNS filters allow it to pass through without scrutiny.
Silent Activation During Checkout
This particular script remains dormant until specific conditions are met. It activates silently when the browser appears automated or when the URL contains the word “checkout.” At this point, it opens a WebSocket connection to a malicious server, enabling the attacker to customize malicious actions based on user behavior.
Payloads sent through this channel are base64-encoded, decoded, and executed dynamically using JavaScript’s Function constructor. This setup allows attackers to run code in the browser in real time, significantly enhancing the threat’s effectiveness.
One of the key factors contributing to the success of this attack is its ability to evade detection by many leading antivirus programs. The script’s logic is heavily obfuscated and activates only under specific conditions, making it difficult for even the most advanced Android antivirus applications and static malware scanners to identify. These tools typically do not inspect, flag, or block JavaScript payloads delivered through seemingly legitimate OAuth flows.
Furthermore, DNS-based filters or firewall rules provide limited protection, as the initial request is directed to Google’s legitimate domain. In enterprise environments, even top-tier endpoint protection tools may struggle to detect this activity if they rely heavily on domain reputation or fail to inspect dynamic script execution within browsers.
While advanced users and cybersecurity teams might employ content inspection proxies or behavioral analysis tools to identify anomalies like these, the average user remains vulnerable. To mitigate risks in the short term, it is advisable to limit third-party scripts, separate browser sessions used for financial transactions, and maintain vigilance regarding unexpected site behaviors.
