Hackers can abuse Google Chrome and other Chromium browsers to continuously take screenshots, spy through the camera, and record microphone audio.
Hackers don’t need sophisticated malware to spy on their victims – they can use browsers instead.
Security researcher mr.d0x disclosed several techniques that rely on specific Chromium browser command-line flags. Attackers can abuse them to spy on users once they gain access to the system.
A simple PowerShell script on a compromised computer would start a Chromium-based browser, such as Google Chrome, Microsoft Edge, Brave, or Opera, in headless mode, or in a very tiny off-screen window, making the window invisible. A few additional command-line flags would effectively turn the browser into spyware.
The invisible browser would go to a specifically crafted webpage with malicious JavaScript, which could then start taking screenshots, recording video and audio, and exfiltrating the data.
The “screen sharing” technique abuses the built-in Chromium feature for screen sharing. Hackers can use the command-line flag “--auto-select-desktop-capture-source=Entire” and launch an invisible browser with the entire screen selected for sharing.
“In cases where the user has more than one screen, you would need to specify ‘Screen 1,’ ‘Screen 2,’ ‘Screen 3,’ etc,” the researcher said.
JavaScript has a capture screenshot function (captureScreenshot), which could be reused by the malicious website constantly, every few seconds. The researcher provided an example where the screenshots are taken every 3 seconds, encoded in Base64, and uploaded to a remote server.
“I really like this method due to its simplicity and the fact that the code performing the spying activity is hosted remotely. Attackers can use this technique during the post-exploitation phase to spy on a user’s activity,” mr.d0x writes.
“I really like this method due to its simplicity and the fact that the code performing the spying activity is hosted remotely. Attackers can use this technique during the post-exploitation phase to spy on a user’s activity,”
mr.d0x writes.
Another command-line flag, “--auto-accept-camera-and-microphone-capture,” can be similarly abused to automatically capture the user’s camera and microphone.
One PowerShell script would open an invisible browser window with this flag, it would visit a malicious website with JavaScript, taking webcam snapshots, and recording microphone audio. The data would then be uploaded to the attacker-controlled server.
No user approval or interaction would be required. However, users would be alerted by the camera light, which would activate when the camera is in use.
The scripts can be launched by attackers controlling the system or by users themselves during social-engineering attacks, such as malicious CAPTCHA checks.
“I’ve been exploring Chromium command-line options for a while now to find interesting use cases,” the researcher said.
This activity would bypass many security features, as the tools used are legitimate. The researcher recommends network defenders check for the usage of the command-line flags with any Chromium browser, as regular day-to-day users are unlikely to ever use them.
Your email address will not be published. Required fields are markedmarked