WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams

Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker that’s engineered to conduct tech support scams.

The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (aka browlock).

This redirection mechanism, in turn, makes use of steganographic tricks to conceal the JavaScript code within a PNG image that’s served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is used.

WoofLocker is also known as 404Browlock due to the fact that visiting the browlock URL directly without the appropriate redirection or one-time session token results in a 404 error page.

The cybersecurity firm’s latest analysis shows that the campaign is still ongoing.

“The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts,” Jérôme Segura, director of threat intelligence at Malwarebytes, said.

“It is just as difficult to reproduce and study the redirection mechanism now as it was then, especially in light of new fingerprinting checks” to detect the presence of virtual machines, certain browser extensions, and security tools.

A majority of the sites loading WoofLocker are adult websites, with the infrastructure using hosting providers in Bulgaria and Ukraine that give the threat actors stronger protection against takedowns.

The primary goal of browser lockers is to get targeted victims to call for assistance to resolve (non-existent) computer problems and gain remote control over the computer to draft an invoice that recommends affected individuals to pay for a security solution to address the problem.

“This is handled by third-parties via fraudulent call centers,” Segura noted back in 2020. “The threat actor behind the traffic redirection and browlock will get paid for each successful lead.”

The exact identity of the threat actor remains unknown and there is evidence preparations for the campaign have been underway as early as 2017.

“Unlike other campaigns that rely on purchasing ads and playing whack-a-mole with hosting providers and registrars, WoofLocker is a very stable and low maintenance business,” Segura said. “The websites hosting the malicious code have been compromised for years while the fingerprinting and browser locker infrastructure appears to be using solid registrar and hosting providers.”

The disclosure comes as the company detailed a new malvertising infection chain that involves using bogus ads on search engines to direct users searching for remote access programs and scanners to booby-trapped websites that lead to the deployment of stealer malware.

What sets this campaign apart is its ability to fingerprint visitors using the WEBGL_debug_renderer_info API to gather the victim’s graphics driver properties to sort real browsers from crawlers and virtual machines and exfiltrate the data to a remote server in order to determine the next course of action.

“By using better filtering before redirecting potential victims to malware, threat actors ensure that their malicious ads and infrastructure remain online longer,” Segura said. “Not only does it make it more difficult for defenders to identify and report such events, it also likely has an impact on takedown actions.”

The development also follows new research which found that websites belonging to U.S. government agencies, leading universities, and professional organizations have been hijacked over the last five years and used to push scam offers and promotions via “poison PDF” files uploaded to the portals.

Many of these scams are aimed at children and attempt to trick them into downloading apps, malware, or submitting personal details in exchange for non-existent rewards in online gaming platforms such as Fortnite and Roblox.