WebAssembly Is Abused by eCriminals to Hide Malware
- CrowdStrike research finds that 75% of the WebAssembly modules are malicious
- WebAssembly is an open standard that allows browsers to execute compiled programs
- Cryptocurrency miners boost efficiency by abusing WebAssembly to achieve near-native execution performance
- eCriminals turn to WebAssembly to hide web-based malware
CrowdStrike researchers analyzed 12,291 unique WebAssembly (Wasm) samples from May 2018 to June 2021 and found that 75% of Wasm modules are malicious. WebAssembly is an open standard that allows browsers to execute resource-intensive compiled programs, such as games or image manipulation apps, directly in the browser with greater ease and performance.
Since eCrime activities dominate the threat landscape, according to the recently published CrowdStrike Falcon OverWatch 2021 Threat Hunting Report, abusing Wasm modules for building more efficient cryptocurrency miners falls in line with threat actors’ financial motivation.
What Is WebAssembly?
WebAssembly has a binary format made to run in the browser’s Virtual Machine (VM) and a text format that is its assembly representation.
Previous attempts to achieve this failed — one of the most popular and worst examples is Adobe’s Flash platform. It’s highly likely that WebAssembly also has many vulnerabilities, but being relatively new, it’s difficult to compare the two technologies head-to-head.
A WebAssembly Format Primer
WebAssembly is structured in modules that can be distributed, instantiated and executed individually. What follows is the basic high-level structure of a module.
Each module has the following preamble:
magic = 0x00 0x61 0x73 0x6D (4-byte magic number, the string '\0asm') version = 0x01 0x00 0x00 0x00 (The current version of the binary format)
Apart from the preamble, integer types in the Wasm format, either Signed and Unsigned, use the Leb128 encoding, which shows the hard work put into by W3C to make sure the format is as compact as possible. There are other primitive types encoded differently, but we only need to mention integers for the purpose of this blog post. To see the rest of the encodings, please see the specification.
The preamble is followed by a sequence of sections, and each section has the following structure:
id: u8 (A one byte section id) size: u32 (Size of the contents, in bytes) contents: [size] (The actual content whose structure depends on the section id)
Every section is optional, but an omitted section is equivalent to having a section present with empty contents.
The following section ids are recognized:
|12||data count section|
The above is a high-level overview of the Wasm format. Each section is then parsed for contents to know what, where and how something should be loaded and executed.
WebAssembly’s Popular Hat Trick
Like any well-established programming language, WebAssembly speaks a lot of “dialects.” One of those dialects is hashing and the ability to use cryptographic functions.
We can look at WebAssembly as a “frequent flier.” Although it uses the cheap, economy-class web browser, it is actually traveling first class because it can reach anyone, anytime, as long as there’s an internet connection. Wasm even has a membership to all of the major “airlines”: Firefox, Chrome, Safari and even Edge.
Combining the two capabilities — compatibility with major browsers and an internet connection as a minimum necessary requirement — provides the perfect mix for “clandestine” cryptocurrency mining operations.
A previous study analyzed how cryptocurrency mining is achieved in the wild using WebAssembly and revealed that eCrime operators have been abusing Wasm since at least 2019 for financial gain. The study also looked into the distribution of execution time spent by WebAssembly miners compared to other usages, as seen below.
Since WebAssembly has been gaining in popularity for the past two years, as more websites embed resource-intensive apps such as games or image and audio manipulation apps, CrowdStrike researchers started diving deeper into how eCrime adversaries might be abusing Wasm and for what purposes, apart from financial motivation. They collected and analyzed 12,291 unique WebAssembly samples from May 2018 to June 2021.
Crypto Mining Efficacy
Some of the analyzed Wasm samples were identified as cryptocurrency miners. For example, two samples:
contain artifacts of the Cryptonight mining algorithm, while further research showed that they are genuine mining modules.
A Clever Hide-and-Seek Trick
Of the 12,291 unique files collected and analyzed, 9,308 were malicious — more than 75% of the entire corpus.
Below, we have the disassembled WebAssembly (“text version,” it’s called) of two malicious samples:
that use this tactic.
Each file starts with the keyword module, and after that, each line starts with a keyword corresponding to the WebAssembly sections mentioned above.
What is interesting is the
At run time, the sample above drops the respective script or document, which is then executed by the browser. This method abuses the intended functionality of browsers that execute them and is a practical and efficient tactic for threat actors to hide malicious scripts within Wasm.
This method can be seen as a new type of obfuscation or even packing on top of the already-existing obfuscated malware state, adding another evasion tactic to the pool of techniques that adversaries can use.
Malicious WebAssembly modules are not new, but their increase in popularity suggests that adversaries can abuse Wasm versatility and efficiency to hide additional malicious scripts for financial and obfuscation purposes. Previous research discovered 150 unique WebAssembly modules by crawling the top 1 million sites, and now we’ve found that of over 12,000 unique WebAssembly samples gathered, more than 75% contained an embedded malicious behavior.
The increased adoption of WebAssembly over the past couple of years suggests we can expect adversaries and eCrime groups to continue abusing this browser’s built-in standard for their illicit gains.
- WebAssembly Reference Manual
- WebAssembly Specification
- Understanding WebAssembly text format
- Learn more about the CrowdStrike Falcon® platform by visiting the product webpage.
- Test CrowdStrike® next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.