A (4:30)

And so the website itself is functioning normally to the owner of the website and to the users of the website? Presumably?

B (4:40)

Yes, that's correct. The exception to that is when the injects are meeting their desired purpose. And that's when you'll start to see some anomalies pop up which are the beginning of the attack chain.

A (4:52)

Well, you talk about this funneling behavior of inject based attacks. Can you explain that for us?

B (5:00)

Yeah, for sure. When I speak about funneling, what I mean is I'm talking about the way that large numbers of these compromised or low value sites are wired to steer victims into a much smaller set of shared infrastructure. And you'll see the same patterns tend to emerge. So those are going to be many different injected pages, domains and templates that we can consider to be the edge. And then moving down the ATTCK chain, we see a relatively smaller number of intermediary redirectors and JavaScript loaders in the middle. And ultimately funneling and getting tighter once again, we see even a smaller set of final payload delivery or decision points at the end.

A (5:50)

The research describes what you call choke points in that second stage there. Why are these choke points important?

B (5:59)

Yeah, so those choke points are important because the pure magnitude of this issue, the number of infected or injected sites, compromised sites, whichever you prefer to refer them to, is astronomical. There are at any given time, I would say with a moderate level of confidence, tens of thousands of these compromised sites. And as a defender, that is particularly difficult to try to get your arms around to proactively block those sites or at a bare minimum, monitor. So instead, by focusing on these choke points being at the small end of the funneling, as I described earlier, defenders are better able and better positioned to use their tools at their disposal to protect themselves, their users and their domains.

A (6:49)

And how do you go about identifying and tracing these attack chains, especially at the scale that you're describing?

B (6:58)

Sure. So the way that I go about it is what I would consider to be a five step process. The first thing I'm looking for is a seed or seed patterns. And that's by looking at anomalies that I've either discovered on my own or that I am ingesting from incident reports, meaning small pieces of things that I can go off of and hunt on. These would be things like fake captcha templates, common script names and paths, or characteristic HTML fragments like JavaScript that are performing unusual redirects. So the seed patterns are the first step. Secondly, then I'm using censuses, index HTML bodies, and various other resources to search for those patterns at scale. So that's going to include doing things like exact matching for known patterns, or fuzzy matching on script paths, query strings, or observed HTML snippets. So looking at that content similarity, then I'm able to narrow the field down into what I presume to be suspect or potentially malicious sites. After I do that, then I begin to essentially build out a graph of these properties of these hits. And so what I'll look at is I'll look at where the injected code lives, and then I'll look at what the next jump is in that ATTCK chain, meaning where does that malicious injected JavaScript redirect people to? And then I'll also look to see if I'm missing any shared resources. And what I mean by that would be the same pathing, such as suspect names, reusable names like captcha, js, or maybe something as basic as a letter like an A, JS or djs, which I've seen recently. So the third piece again is going to be trying to assemble a picture of that to fully understand exactly what this looks like. And then fourth, I'm going to identify what those choke points are. So once that graph or that picture that I just described is built, what I'm going to be doing is I'm going to be looking at what are the things that this large number of injected or infected sites have in common and where do they lead to? And that's where I'm able to identify that choke point. Once I identify that choke point, then I'm able to validate my hypothesis or assumptions and many times challenge them to make sure that I'm getting true positives there. And once I'm able to do that, then I'll move on to the fifth step, which would be to validate manually and reconstruct those attack chains. And so what I'll do is I'll go ahead and hunt based upon the choke points, pull out a number of random samples, and then I will make sure that while I'm walking those chains manually, as if I were the intended victim that I am ultimately reaching those payloads. So that way I understand how we lead from those initial lures to what can be presumed to be the intended final payload of the threat actor.

A (10:24)

Do you find any consistency among the signals or the patterns that you find across these campaigns?

B (10:33)

Yes. So what I find is that despite being what I would assess with a moderate level of confidence evidence to be unique or threat clusters, maybe even operated by distinct threat actors, there's a lot of sharing or copying of these techniques. And once you see what is essentially in vogue for, you know, this week or this month, then you start to see those types of things show up in various different clusters. Things like that would be a few years ago. As I've been tracking these types of things for a few years now, I saw threat actors stop injecting the JavaScript directly onto the main landing page. Generally it was the header where it was easy to find and identify, but then they moved on to putting it into other resources. These are going to be resources that are loaded by the page at the time of visiting. For example, if you want to have something like a slideshow or a particular form on your web page, you'll have a JavaScript library that's located on the same server that will be used in order to enable that functionality. What I saw was threat actors were very predictably moving to the same JavaScript library over and over again and putting the code in there that will rotate over time. But those are some of the similarities that I'm able to track across these various different clusters.

A (12:09)

We'll be right back. Most security conferences talk about Zero Trust. Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert LED sessions, practical case studies, and technical deep dives focused on real world implementation. Whether you're blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from Theory to execution. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Well, from a defender standpoint, what does the research suggest about where they should be focusing their monitoring and their detection efforts?

B (14:22)

Yeah, that's a very good point. As far as the monitoring and detection goes, I think that it comes back to understanding the baseline of your environment, meaning that if there are things that are out of the norm that are happening on your endpoints that don't align with what is established behavior, that's certainly worth raising the alarm on. But more specifically, defenders can implement certain policies on their networks. If we're talking about Windows networks, a administrator would be able to implement a group policy object or a gpo, which is a rule set that applies to the computers that are joined to the domain to associate something like a JS or JavaScript file, not to open with the default WScript utility built into Windows, which would evaluate and execute that JavaScript payload, but rather have it associate with something that would make it benign, like a notepad or text editor. So if someone is lured into clicking on one of these things or visiting one of these malicious sites and is lured into downloading a payload when they go to open it, it would not infect the system but rather just show them a show them the script which would effectively break the chain.

A (15:46)

Now you mentioned that you've been looking at these things for a number of years. What's the trend that you're tracking? Are these becoming more or less common? Where do we stand?

B (15:57)

I can tell you that the adoption is higher than it's ever been. I've seen what I track threat actor groups that were using traditional means of delivering malware, meaning pre built binaries or payloads that have hard coded command and control configurations baked into them. Those threat actors have pivoted to start starting to use these web based attacks. I can give you a few examples of some of the lures that have become popular as well as some of the new techniques and technologies that I'm seeing. If that's all right with you?

A (16:31)

Yeah, please.

B (16:33)

So I'll start with some of the lures. The biggest one that I've been seeing over the past year or so is a fake captcha, and what that is is essentially when you are Visiting a website. There are a number of anti bot technologies that we've been accustomed to running into as a legitimate user. For example, if we go to visit a site and the site says, hey, maybe there's been some anomalous traffic coming from this ip, or maybe there's just a whole lot of traffic right now where you need to make sure that people aren't bots, you may be served up a captcha. And because of this technology that is used to protect websites, us as humans and end users, we've been conditioned to start to click on these captchas. So the threat actors are preying upon our conditioning to interact with these captchas. And once that is we've interacted with them, then the threat actors are using JavaScript to place a set of malicious commands right on our clipboard. And then some follow on instructions are displayed such as to prove that you're a human, please do this keystroke. And it depends on if you're on Windows or Mac, but ultimately it culminates to opening some type of command prompt or terminal and pasting in the command which will download the payload and execute it. Those are called click fix and the lure type is fake captcha. Traditionally, what we've seen in the past is a fake update. And that is going to be something that is telling you that a critical piece of software on your computer is out of date. And this is particularly frustrating as a defender because we've worked so hard to get our end users to be, let's say, judicious and to want to accept updates on their endpoints to keep them safe from vulnerabilities. So when you're presented with a page that says your Chrome or Firefox or whatever web browser you're using is out of date and needs to be updated in order to continue. The same type of security awareness training that has been provided is the same type of thing that conditions end users into following those directions that are provided by the threat actors.

A (18:59)

So where do you suppose we're headed with this then? I mean, it seems as though this threat is here to stay. Is this destined to be an ongoing nuisance and problem in your estimation?

B (19:13)

I fear it is, because even as we speak, I'm seeing additional changes to these attack chains that are leveraging new pieces of technology. For example, I've written what can be considered a follow up article to this report, to this funneling report that we're discussing about a technique called Ether hiding. And Ether hiding is a an attack chain that uses the same type of injections and technology and techniques that we've been talking about already, but they are now using part of the blockchain as well. The blockchain being the external transparent ledger that's generally associated with cryptocurrency and various things of that nature. That ledger has objects on it called smart contracts, which are binary objects that can be called from the HTML and JavaScript to read the contents of these smart contracts, which cannot be updated without transparency. Meaning that it's really hard to take these types of things down. As opposed to traditional websites where one could file a complaint when they discover what the C2 or the payload delivery infrastructure looks like, the JavaScript is then pulling the payload and in some cases the next steps in a redirect chain to yet another resource. So to fully answer your question, I don't think that they're going to be going anywhere. And the difficulty for defenders in tracking and reproducing these steps is becoming more difficult, and that lends itself to continued adoption and sustained use by threat actors.

A (21:05)

How do you rate the sophistication of these threat actors?

B (21:09)

I have two thoughts on that. First, we tend to see what I would call the visionaries in this space, which are highly capable, what I would consider to be the apex predators of the threat actor landscape, specifically the E crime or the criminal landscape, whose motivations are stealing money and getting that initial access, and then perhaps executing a locking of a domain, such as a ransomware that we've seen in the news, or maybe even just getting that foothold and selling it to another group that would like to conduct that activity. Those folks, I would say, are some of the most capable developers that I've seen. And the way that these threats continue to evolve rapidly, it will make your head spin. Just the efficacy and the quickness in which they're able to deploy new tricks to evade researchers and defenders. The other side of that is that with the advent of AI, especially tools like chat, GPT and Claude and various other LLMs, the barrier to entry in order to make these types of tools and attacks has greatly been lowered. So now we're seeing a lot of copycats. And so this does a couple of things. Number one, it increases the amount of attacks like this that are on the Internet. But it also muddies the water for researchers who are trying to track and do attribution of threat actors. Because when you see folks that are adopting similar techniques and, and many who I would consider to be unskilled are able to get working tools generated by these AI programs, then it really is a duality of folks who really know what they're doing and those who don't know much but are able to get a working attack chain going.

A (23:20)

Our thanks to Andrew Northern from Census for joining us. The research is titled From Evasion to Exploiting the Funneling Behavior of Injects. We'll have a link in the Show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode is produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. I'm Dave Bittner. Thanks for listening. We'll see you back here next time. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of exper expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.

B (25:12)

Well, the holidays have come and gone once again, but if you've forgotten to get that special someone in your life a gift, well, Mint Mobile is extending their holiday offer of half off unlimited wireless.

A (25:22)

So here's the idea. You get it now.

B (25:24)

You call it an early present for next year.

A (25:27)

What do you have to lose? Give it a try@mintmobile.com Switch limited time 50% off regular price for new customers. Upfront payment required $45 for three months, $90 for six month or $180 for 12 month plan taxes and fees. Extra speeds may slow after 50 gigabytes per month when network is busy. See terms. Attackers don't go through your tools, they go around them. In our interview with Jared Atkinson, CTO at SpectreOps, he reveals how attackers look to exploit our identities, steal tokens, and quietly snowball their access across active directory, cloud apps and GitHub. We talk through attack paths. Why least privilege keeps failing and how one misconfiguration can hand over the keys to your organization. Want to see risk as attackers do? Then check out the full interview now on TheCyberWire.com Spectrops.