The Dark Side of WebAssembly

Nowadays, the technologies for developing software for webs are multiplying rapidly, while introducing, in some cases, new ways of attack or unexpected advantages for attackers. Let’s see what WebAssembly (WASM) is and what potential benefits can have for attackers.

This relatively new open standard (announced in 2015 but started to be used in 2017) allows us to execute binary code, compiled with languages such as C, C++ or Rust in modern web browsers, with all the new functionalities and performance that it can involve.

WASM was not created as a replacement for JavaScript, but to complement it. In fact, it is the JavaScript engine that runs it. This standard enjoys multiple use cases, as indicated in its website: development/execution of games, CAD applications, simulation platforms, intelligent contracts (blockchain), among others. If you want to have a look at how they run a binary of a game in WASM you can visit this website that emulates the famous Gameboy or how AutoCAD starts running from any browser.

Just as new technologies and programming languages offer multiple improvements, it is a matter of time before attackers find the attack vectors and use them to their advantage, and WebAssembly applications are no exception. Let’s see, through the example below, how a simple malicious code could be compiled to simulate a social engineering cyberattack.

This type of simulated attack is known as a “tech support scam,” where a scammer impersonates a technician from a technology company using intimidation tactics and social engineering to trick people into paying for unnecessary support services. When the victim calls the tech support number, the scammers ask for money to fix the problem or request access to install malware (backdoor) on the victim’s device. This Twitter Thread by Sergio de los Santos is a good example of the sophistication achieved.

In these cases, the benefit for the attacker would be the obfuscation of the code at the time of the analysis, more speed, etc. In fact, compiled WASM code has already been used for bitcoin mining campaigns by infecting browsers with malicious code on compromised sites. Among the best-known cases are Coinhive and  Cryptonight. Both attacks (using WASM-generated JavaScript) exploited the computational power to “mine” cryptocurrencies through the browser. In general, when we browse the Internet, we can find sites that have been compromised by scammers commonly with pure JavaScript or WASM code, and from here, if our browsers do not have adequate controls, the attack can be consummated.

If WebAssembly is being used to support cryptoattacks, attackers may continue to profit from other fronts. Other formulas for the malicious use of WASM are the following:

• Redirection to malicious URLs: there are campaigns to infect devices by means of malicious redirects (via WebAssembly code) from compromised sites to the same technical support scams, mining of cryptocurrencies, etc.
• Keyloggers, record keystrokes to steal passwords and other confidential information from visitors to compromised websites, taking advantage of the fact that WebAssembly is generating code that evades typical detections by external controls or browsers.
• Browser Exploitation: Exploiting vulnerabilities in the browser almost always involves JavaScript. Therefore, WebAssembly can play an important role in exploiting the browser by obfuscating the exploitation code.

Technologies offer many possibilities, WebAssembly is no exception and could be an ally or an enemy. It is very clear that it has many advantages but can provide new ways to exploit weaknesses in different cases. While developers strive to integrate security features, we as users, must be cautious, having updated, for example, our browsers with plug-ins that block dynamic execution of JavaScript, such as NoScript. ElevenPaths have contributed with tools such as AMSIext to avoid unwanted executions in browsers.