Malvertiser eGobbler exploited Chrome and WebKit security flaws to display over one billion malicious ads

Malvertising campaign run by a group called eGobbler takes advantage of a zero-day security flaw in WebKit that Google still hasn't patched

A malvertising actor known as eGobbler has been observed exploiting two browser security flaws to display invasive pop-up ads and to redirect users to malicious websites.

One of these, involved a patched flaw in Chrome for iOS, while the other exploits a zero-day flaw in the WebKit browser engine.

The activities of the group were first noticed last year, when security researchers found it running malvertising campaigns to display malicious ads on vulnerable devices.

According to researchers, malvertising campaigns by eGobbler typically last for a few days. In that period, eGobbler buys advertisements on genuine services, but embeds malicious code in its adverts to perform unauthorised activity on users' browsers.

These activities normally include displaying disrupting popup ads or redirecting users to malicious sites running scams or hosting malware.

Security researchers at Confiant said that, in April, they noticed eGobbler exploiting a bug in Chrome for iOS, which enabled them to bypass the in-built pop-up blocker in iOS devices and overwhelm users with ads. The exploit also enabled them to redirect users to malicious sites.

Confiant researchers notified the Chromium team about the bug (CVE-2019-5840), which eventually patched it in June with the release of Chrome75.

However, eGobbler continued to exploit the bug and targeted users who failed to update their Chrome app.

Confiant said that in August, the group started exploiting a new bug impacting WebKit, the browser engine working at the core of older Chrome versions and Apple's Safari.

According to researchers, this zero-day exploits the "onkeydown" JavaScript function, which is executed on each keypress. eGobbler used the zero-day to bombard users with popups ads.

The issue was reported to Apple and Google in August. Apple released a patch for WebKit in three days, and closed the bug in both iOS 13 and Safari 13.0.1 in September.

Google is yet to release a fix for the issue, meaning that Chrome users are still vulnerable to malvertising attacks from eGobbler and other threat actors.

Confiant said that between 1^st August and 23^rd September, they saw eGobbler generating 1.16 billion ad' impressions. Those attacks primarily targeted Windows users accessing the web via Chrome.

"eGobbler's preference for desktop platforms during this period supports their latest WebKit exploit, as the 'onkeydown' event is less likely to spawn organically during mobile browsing," the researchers said.

"The eGobbler group will often use CDNs [content delivery networks] for payload delivery. When available, they will leverage subdomains that look innocuous or include familiar brands," they warned.