A few years ago WebAssembly rose to prominence, since then cybercriminals have opened a Pandora’s box of potential malicious uses, from cryptocurrency mining to malware code obfuscation.

Our Security Team discovered a new type of Auto-Redirect attack using WASM to run Javascript code which will eventually lead the user, without any interaction, to a non-desired landing page.

In one of our previous posts we discussed Sandboxing, why it was created and how it was supposed to be a safer way to run Iframes. Unfortunately, we’ve seen how attackers are able to easily bypass it by serving code in a cross-origin platform, and leverage the ability of code served in the same origin platform by navigating through Sandboxing.

Getting To Know WebAssembly

WebAssembly is a new type of language and compiler which is open source that can be run in web browsers. It is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages such as C/C++ and Rust with a compilation target so that they can run on the web.

Portable — able to run in different browsers and platforms
Compact — files are already in bytecode and directly executed by the browser
Fast execution — less time spent parsing and optimizing
Support — can compile old programs coded in C/C++ that previously required dependencies

The Dark Side of WebAssembly

Our Security Team discovered a new type of Auto-Redirect attack using WASM to run Javascript code which will eventually lead the user, without any interaction, to a non-desired landing page.

These attackers are using WebAssembly (WASM) to run as Javascript code in order to render security company bots useless and be able to run their attacks undetected.

This landing page may contain malicious activity, download executable files to the user’s machine/device, as well as just regular apps that are looking for new users.

So How is it Actually Happening?

The website loads, and ads appear. Below we can see a sample creative that is being shown before the attack takes place (Cute, right?):

a new type of Auto-Redirect attack using WASM to run Javascript code which will eventually lead the user, without any interaction, to a non-desired landing page.

In the screenshot below we can see the WebAssembly code that runs the Javascript

a new type of Auto-Redirect attack using WASM to run Javascript code which will eventually lead the user, without any interaction, to a non-desired landing page.

Below we can see the Redirect code that is executed by the Webassembly:

a new type of Auto-Redirect attack using WASM to run Javascript code which will eventually lead the user, without any interaction, to a non-desired landing page.

And finally, we see the landing page that the user is being led to involuntarily:

a new type of Auto-Redirect attack using WASM to run Javascript code which will eventually lead the user, without any interaction, to a non-desired landing page.

Thwarting Malicious Attempts

WebAssembly is currently underused, which makes it virtually undetectable, until now.

We can now see how these attackers are using WebAssembly Javascrpit APIs to avoid being detected by security companies, like GeoEdge.

With every new technology developed to improve the user experience and the processing of data, cybercrimianls are closely behind with malicious intent to exploit these new technologies.

As WebAssembly has already proven a fertile attack surface for the browser, GeoEdges security team remains vigilant for new and obfuscated attacks.