New MFA Bypass Phishing Method Uses WebView2 Applications with Hidden Keylogger

mr.d0x, a security researcher who previously released phishing tactics such as browser-in-the-browser (BitB) and utilized NoVNC to circumvent two-factor authentication (2FA), has released a new phishing attack method that exploits WebView2 applications to steal cookies and credentials. The code base utilizes a modified version of Microsoft’s WebView2 Samples repository.

Microsoft has developed a new module called “Microsoft Edge WebView2 control”. This module allows the user to embed web technologies such as HTML, CSS and JavaScript in native applications. In this case, mr.d0x has included a JavaScript keylogger capable of sending keystrokes and cookie data to a command-and-control server.

Exploiting WebView2

WebView2 can be used to create an executable that is able to communicate with web applications similarly to a browser. This feature would improve desktop applications and make them more capable of interacting with web applications. As demonstrated in Figure 1 below, we are able to view the application running. In this instance, it displays the Microsoft login page.

Figure 1: Application Loading Office.com (Source: Kroll)

Once the user enters their credentials and authenticates successfully, a copy of the HTTP GET request that includes the cookie data is sent to the actor-controlled C2 server, shown in Figure 2. The actor can circumvent authentication and log in simply by injecting the cookies obtained into the browser on the given site, granting them full access as that user.

Note: If acted on quickly enough by the threat actor, this method is an effective way of bypassing 2FA.

Figure 2: Captured Cookies from Application (Source: Kroll)

Figure 3: User Authenticated with Cookies (Source: Kroll)

Data Exfiltration is Possible

The security researcher further mentions they were able to successfully exfiltrate all available cookies for the current user from Chrome using WebView2, although this requires some manual copying and renaming of folders. WebView2 has the functionality to launch and utilize an existing user data folder (UDF) instead of creating a new folder each time it is executed, therefore, allowing access to any earlier stored information within the directory.

Monitoring MSEDGEWEBVIEW2.EXE for Detections

The Kroll threat intelligence team analyzed the application with our detection technologies and observed the application spawning multiple “msedgewebview2.exe" processes, shown in Figure 4 below. Our intelligence team is working closely with the detection engineering team to create detections to identify this method of phishing attacks.

Figure 4: Process Tree (Source: Kroll)

We assess that this method is likely to be combined with a phishing email or contact form request, renaming the WebView application to resemble a document or PDF. When combined with the legitimate login portal presented to a victim, this would likely result in a successful exfiltration of credentials.

Upon further research, we were able to independently develop and include this in an infection chain where a malicious document (maldoc) was able to call PowerShell to download and launch the malicious WebView2 application, shown in Figure 5, utilizing limited interaction with the endpoint. The code changes made to the malicious WebView2 application, resizing the window (Figure 6), adds further credence to the login prompt where provided—thus providing another layer of social engineering to this technique.

Figure 5: Maldoc Infection Chain (Source: Kroll)

Figure 6: Demo of Maldoc Infection chain (Source: Kroll)

We are confident we are able to detect this maldoc infection chain by monitoring Office applications spawning PowerShell, downloading and executing another application. We are also able to detect a non-maldoc version utilizating .ISO and .LNK files, as actors move away from using macro enabled documents. This shift in tactics follows a change from Microsoft that is helping to prevent users being targeted by implementing the Mark-of-the-Web (MOTW) flag on documents received from an external source.

Recommendations

Inform and educate staff of this method of phishing attack. Instruct users to pay specific attention to the type of file that they are clicking on.

Disable the ability for unauthorized applications to be installed and or executed on the endpoint. Use application whitelisting with AppLocker or group policy settings.

Block “.exe” attachments being downloaded via mail gateway.

Phishing Never Ends

Phishing attacks are one of the most common and proven methods for threat actors to gain an initial foothold within an organization. Protecting yourself against new phishing attack techniques and tactics can become difficult as these become harder to detect and identify.

It can feel like a never-ending battle to monitor and adapt to novel techniques like this, which reinforces the need for organizations to quickly detect and confidently respond to suspicious activity. If you detect odd process executions or suspicious behaviors involving msedgewebview2.exe or other artifacts, it would be wise to kick off incident response. Kroll’s experts are available to help 24x7 via our hotlines or our contact page.