Cybercriminals are delivering malware via web browser features using a newly discovered command-and-control (C2) platform dubbed Matrix Push C2.
The malicious C2 platform, discovered by BlackFrog, tricks users with fake system notifications, redirecting them to malicious sites, monitoring infected clients in real time, and even scanning for cryptocurrency wallets.
In a report published on November 20, BlackFrog outlined how Matrix Push C2 abuses the legitimate web browser push notification system as a C2 channel.
Matrix Push C2 works by first tricking users into allowing browser notifications, often via social engineering on malicious or compromised websites. Once a user is subscribed to the attacker’s notifications a direct line to that user’s desktop or mobile device is created via the browser.
The cybercriminals then push out legitimate-looking error messages and security alerts that appear as if they are from the operating system or trusted software.
However, if a victim clicks on these fake notifications, they are taken to a site run by the attack, often a phishing page or a malware download.
BlackFrog described this attack as ‘fileless’ because the interaction is happening through the browser’s notifications system, therefore there is no need for a traditional malware file to be present on the system initially.
The attack is orchestrated via a web-based dashboard provided by the Matrix Push C2 platform.
The threat is not limited to a single operating system (Windows, Mac, Linux, Android, etc.) because it operates through standard browser technology, noted BlackFrog.
The campaign dashboard, which is part of Matrix Push C2, shows an active client panel. This gives the attacker detailed information on each victim in real time.
“This real-time intelligence is part of what makes Matrix Push C2 so dangerous. The attacker isn’t firing blind phishing emails hoping someone clicks, they have a live connection to the victim’s browser,” said BlackFrog.
Matrix Push C2 also includes analytics and link management tools so the attacker can measure how effective their campaign is and adjust tactics.
For the social engineering element of the attack, Matrix Push C2 comes with configurable templates to maximize the credibility of its fake messages.
“In the settings, we found templates for brands such as MetaMask, Netflix, Cloudflare, PayPal, TikTok and more, each designed to look like a legitimate notification or security page from those providers,” the BlackFrog report noted.
Further, the attacker can generate short, innocuous URLs (under a path they control) that redirect to the real malicious site. This helps evade filters and lowers victims’ skepticism that comes with sending long, suspicious-looking links.
To counter this threat, BlackFrog recommended using anti data exfiltration (ADX) technology, focused on blocking outbound traffic.
