Suspicious File Download via Headless Browser
Attackers are leveraging Chromium-based browsers in headless mode with the `--dump-dom` argument to download files from file-sharing services and direct IPs, potentially indicative of reconnaissance or malware delivery.
Attackers are increasingly utilizing Chromium-based browsers such as Chrome, Edge, and Brave in headless mode to download files surreptitiously. This technique involves using the --headless and --dump-dom arguments, allowing attackers to automate browser actions without a graphical user interface. This tactic has been observed in campaigns like DUCKTAIL, where attackers used this method to download content from the internet using direct URLs or file-sharing platforms. This behavior is especially concerning because it can bypass traditional security measures that rely on user interaction. Defenders should be aware of processes spawning headless browsers and monitor for network connections to file-sharing services or unusual IP addresses.
Attack Chain
- The attacker compromises a system through an initial access vector (e.g., spearphishing, exploit).
- The attacker executes a Chromium-based browser (Chrome, Edge, Brave, etc.) from the command line or through a script.
- The browser is launched with the
--headlessand--dump-domarguments to run without a GUI and potentially download content. - The attacker uses the browser to access a URL, either a direct IP address or a file-sharing service like Mega.nz or Mediafire.com.
- The browser downloads a file from the specified URL or domain.
- The downloaded file may be a malicious payload, configuration file, or stolen data.
- The attacker executes the downloaded file or uses the data for further exploitation or lateral movement.
Impact
A successful attack can lead to malware infection, data exfiltration, or further compromise of the affected system and network. The use of headless browsers makes detection more challenging, as it mimics legitimate browser activity without the visual cues of a typical user session. The number of victims and specific sectors targeted are currently unknown, but the potential for widespread impact is significant, especially if the downloaded files contain ransomware or other destructive payloads.
Recommendation
- Monitor process creation events for Chromium-based browsers (chrome.exe, msedge.exe, brave.exe) with the
--headlessand--dump-domarguments using the provided Sigma rules. - Inspect network connections from processes matching the above criteria to known file-sharing domains listed in the IOCs.
- Analyze command-line arguments of browser processes for direct IP addresses and correlate with network connection logs.
- Review the
known_false_positivessection in the original Splunk detection for tips on tuning the detections.
Detection coverage 2
Headless Browser with Dump-DOM Argument
mediumDetects Chromium-based browsers running in headless mode with --dump-dom argument.
Network Connection to File Sharing Services from Headless Browser
mediumDetects network connections from Chromium-based browsers running in headless mode to known file-sharing services.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
26
domain
| Type | Value |
|---|---|
| domain | *.githubusercontent.com* |
| domain | *anonfiles.com* |
| domain | *cdn.discordapp.com* |
| domain | *ddns.net* |
| domain | *dl.dropboxusercontent.com* |
| domain | *ghostbin.co* |
| domain | *glitch.me* |
| domain | *gofile.io* |
| domain | *hastebin.com* |
| domain | *mediafire.com* |
| domain | *mega.nz* |
| domain | *onrender.com* |
| domain | *pages.dev* |
| domain | *paste.ee* |
| domain | *pastetext.net* |
| domain | *send.exploit.in* |
| domain | *sendspace.com* |
| domain | *storage.googleapis.com* |
| domain | *storjshare.io* |
| domain | *supabase.co* |
| domain | *temp.sh* |
| domain | *transfer.sh* |
| domain | *trycloudflare.com* |
| domain | *ufile.io* |
| domain | *w3spaces.com* |
| domain | *workers.dev* |