Wednesday
Room 4
13:40 - 14:40
Session (60 min)
Hidden In Plain Sight: Browser Hijackers And How To Reverse Engineer Them
Imagine you are about to browse Stackoverflow to debug an error and are suddenly shown dog memes rather than code solutions. What would be your first reaction? Is someone messing with my browser? Or worse, am I being hacked? Well my friend, your browser has been hijacked! And this is likely due to the work of browser hijackers, which can infiltrate your browser and alter settings without your consent.
In this talk, we’ll be deep diving into malicious JavaScript code, using the ChromeLoader campaign as an example. We will demonstrate widely used payload encryption and JavaScript obfuscation techniques, and how to reverse engineer the code.
The talk will cover:
- What browser hijacking threats are and the impact and motivation behind them.
- How legitimate browser extensions are loaded, their code structure, and demo a clean extension.
- Common techniques for side-loading malicious browser extensions.
- A walkthrough of the ChromeLoader malware campaign, covering the timeline, attack chain, and payload delivery mechanism.
- A deep dive into various JavaScript obfuscation techniques (dead code injection, string array encoding, hex conversion, etc) used during the campaign, and the approach for de-obfuscating and debugging malicious extension files.
- Other prevalent malware families (FakeUpdates, Fauppod, etc) using different JavaScript obfuscation techniques.
- Advice on protection against browser hijacking threats.
Katherine Wu
Katherine is a security researcher working at Microsoft. She has been working in cyber security since 2017 and has moved from blue teaming to reverse engineering. Katherine also strongly supports the tech community and is a part of the Tech Leading Ladies meetup group where she has presented during group meetups. In her spare time, Katherine likes to go swimming and go flying with her partner.