New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


eGobbler Launches Massive Campaign Against iOS Users

eGobbler: A group who is being dubbed eGobbler has been tied to a recent campaign which has utilized a Chrome for iOS vulnerability to serve up 500 million malicious ads.  The group was named eGobbler due to the massive volume of hits their campaigns generate.  The vulnerability being exploited exists in the way that the Chrome browser for iOS handles pop-ups.  While under normal conditions, ad sandboxing would prevent a pop-up unless explicitly authorized by the user, the vulnerability allows eGobbler to circumvent this protection and launch the malicious ads. The vulnerability also completely circumvents Chrome’s anti-redirect function.  Exact details of the vulnerability are currently being withheld by researchers in order to allow Google’s security team time to fix the flaw in the Chrome for iOS browser.  In the waves of attacks which have been seen from eGobbler so far, they will target U.S. users for one to two days before changing the payload, with the exception of one campaign which began April 6th and lasted for six days.  The group has been seen using legitimate ad servers which they will infect first. The group also utilizes popular JavaScript libraries like GreenSock to smuggle their payloads.  Even though the group has been adjusting tactics with each new wave of the attack, one consistent characteristic has been the fact that each landing page has been hosted on a “.world” domain.

Analyst Notes

Until the flaw can be patched by Google, users are reminded to be cautious of pop-ups and if any are encountered the user should shut down the browser immediately and avoid the site that the pop-up appeared on for a couple of days. Users should also be on the lookout for an update to Chrome. Historical analysis of activity involving eGobbler indicates that they prefer to launch campaigns around holidays, putting iOS users at greater risk this week and the Easter weekend.