Threat Watch

Malvertiser Exploiting Browser Bugs

eGobbler: Believed to be a group, eGobbler has been seen since Thanksgiving of 2018. The group has a tendency to work in short bursts, lasting only a few days, then going quite only to return a few or months later with a new vulnerability to exploit. The group is known for buying legitimate advertisements on websites and injecting malicious code into them so their exploit will break out of the ad’s secure iframe and perform malicious activity inside a user’s browser. The group has gone after mobile popup advertisements in the past because of the lack of users enabling ad blockers for mobile and the browsers being more susceptible to exploits as opposed to the desktop versions. Operating at a massive scale last Presidents day, the group blasted out over 800 million malicious ads. Egobbler is also known for its work in exposing bugs inside the source code for browsers giving them a competitive advantage over other malvertisers. The first bug the group found was a zero-day in April that impacted Chrome for iOS. Receiving a patch in June, the vulnerability (CVE-2019-5840) allowed the group to break out of the security sandboxes that protect iframes and show their malicious code to users. The exploit bombarded users with popup ads that redirected them to malicious websites. The group continued using this bug to target individuals who failed to update their Chrome browser. Now, the group is believed to be behind a second browser bug which was discovered over the summer. The new bug impacts WebKit, which is the browsing engine at the center of older chrome versions, as well as Apple’s Safari browser. This bug affects a JavaScript function called “onkeydown” that executes with every keystroke. The group is treating this bug like the last and using it the same way, bombarding users of the browsers with pop-up ads. Since the release, Apple has released a fix for Safari, but Google has not–leaving any user on Chrome open to being targeted by the group until Google releases a fix. The “onkeydown’ function is also used in desktop versions of the browser, allowing the group to expand operations to target desktop users.


The group has now sent over 1.16 billion impressions out using the second bug. At this point, they have stopped targeting US-based users on Apple devices and shifted focus to European users, mainly in Italy. Since the group still has the bug at their disposal and it has not been addressed by Google, they will likely continue to use it until the patch is released. The group will likely take time off after this wave of attacks is done, giving them a chance to relax from their attacks and find a new bug to exploit in a new round of attacks.