A group of academics from Greece have come up with a new browser-based attack that can allow attackers to run malicious code inside users’ browsers even after the web page is closed.
The big picture - Dubbed as MarioNet, the new attack method is an upgrade to Puppetnets attack that was discovered in 2007. MarioNet opens doors to several other attacks for hackers. It can enable them to assemble giant botnets from users’ browsers and later use them to conduct various nefarious activities.
This includes in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting.
How is MarioNet different from Puppenets - Although both are used for creating a browser-based botnet, there lies a major difference between the two. The important aspect is that MarioNet can survive even after the users close the browser tab or move away from the website.
This is possible due to a new API called Service Workers, that comes in-built with the modern web browsers. The Service Workers are an update to an older API called Web Workers and prevents a web page from freezing when processing large quantities of data.
How does it work - MarioNet consists of two main components: an in-browser and a remote command and control system. It does not exploit any flaw on the victim’s system and does not require any installation of any software. It leverages the power provided by Service Workers in modern browsers to initiate its infection process.
According to the researchers, the worst part of the attack is that it can be launched silently on a browser without any type of user interaction.
Furthermore, the attack method can also enable hackers to avoid anti-malware browser extensions and anti-mining countermeasures.