Hiding in plain sight – How attackers conceal malware in everyday web resources
For nearly two decades, Secure Web Gateways (SWGs) have monitored network traffic to detect malware, block malicious websites, and safeguard enterprises from web-based threats. However, attackers have found many ways to bypass these defenses, which security researchers at SquareX have documented. One of the most dangerous tactics is hiding malware in plain sight, using everyday web resources such as images, WebAssembly, HTML, CSS, and JavaScript to disguise the attack.
These client-side assembly techniques bypass SWGs entirely, leveraging common web elements to deliver malicious payloads directly to the browser. The malware is embedded in ordinary files that SWGs typically overlook, and is only reassembled and executed once it reaches the victim's device. In most cases, the SWGs are unaware of a file download event happening.
WebAssembly
WebAssembly (WASM) is a binary assembly format designed to run near-native speed code in the browser. Many legitimate web applications use WASM for heavy computation, including platforms like Figma and Adobe. However, attackers have found a way to hide malware within WASM modules, slipping malicious payload past SWGs undetected.
Since SWGs don't perform static or dynamic analysis of WASM files, the malicious payload is allowed through without scrutiny. Once it reaches the client-side, JavaScript extracts and assembles the malware from the WASM file and drops it onto the victim's device. WASM is an ideal medium for attackers to exploit, as it is used widely, but the industry lacks WASM security analysis frameworks. SquareX is pioneering the detection of malicious webassembly in its industry-first Browser Detection and Response solution.
Image Steganography
Steganography, the practice of hiding data within an image, is not a new technique, but it has evolved into an efficient way to evade detection by SWGs. Images are generally seen as safe and are rarely inspected in depth by SWGs, making them the perfect vehicle for smuggling malicious code.
In this attack, the malware is embedded in the least significant bits (LSB) of the image file, where the hidden code doesn't affect the visible appearance of the image. Once the image is rendered on the browser, JavaScript extracts the malware from the image and drops it to the user's disk. The use of steganography adds an additional layer of complexity, making it incredibly difficult for traditional security tools to detect without specific steganalysis.
HTML, CSS, JavaScript, SVG Embedding
Attackers can also hide malicious content within the core components of web design: HTML, CSS, and JavaScript. These essential elements are foundational to web functionality, making them ideal for concealing malicious payloads that SWGs are not equipped to detect.
- HTML Embed Attacks: Attackers store malware as a binary array within seemingly harmless HTML tags. To SWGs, this content appears as regular HTML and is allowed to pass. Once on the client side, JavaScript reads the HTML tag, extracts the malicious code, and reassembles it into a functional attack.
- CSS Embed Attacks: Malicious code can also be embedded in CSS variables or rules, which SWGs do not inspect. JavaScript extracts the hidden malware from the CSS file after it reaches the browser and triggers the download of the payload.
- JavaScript Array Attacks: Attackers embed malware in JavaScript arrays. Since SWGs do not perform live dynamic analysis of JavaScript code, these arrays are allowed through the network unscanned. When the page loads, JavaScript assembles the array into a malicious file and executes it.
- SVGs Embed Attacks: Scalable Vector Graphics are particularly attractive to attackers because they can contain hidden binary data within the markup, which can be read and reassembled into malware by JavaScript running on the client side.
These techniques illustrate how attackers are targeting enterprise networks. By hiding malware in everyday web resources, they are able to bypass even the most advanced SWGs.
As attackers continue to refine their techniques, it's clear that enterprises must adopt new security measures to protect against client-side attacks. Browser-native security solutions, which operate within the browser itself, are essential to detecting and mitigating these threats at the last mile.