MutantBedrog: The Malvertiser Bypassing Trusted-Types and CSP with Disruptive Forced Redirect Campaigns
In mid-2024, cybersecurity specialists from Confiant identified a new malicious actor known as MutantBedrog. This threat raised alarm due to its aggressive campaigns of forced user redirections to malicious sites, accompanied by unique JavaScript scripts designed to scan devices and redirect users to fraudulent pages.
Of particular interest to experts were the numerous references to Content Security Policies (CSP) and Trusted-Types within these scripts. Trusted-Types is a security mechanism used to prevent XSS attacks and other dangerous JavaScript execution scenarios. However, MutantBedrog discovered a way to bypass this protection at every stage of script execution.
A sample taken from MutantBedrog’s code demonstrated that the script utilizes the Trusted-Types policy to generate malicious URLs and execute them through dynamically created elements on the page. This allowed the attackers to carry out redirects and script injections even under strict CSP limitations.
Through experiments with this code, experts confirmed that the Trusted-Types CSP could be circumvented via a multi-stage script execution strategy. These scripts are not blocked as they are executed within a trusted environment (Friendly Frame), where the policy’s rules are not always fully enforced.
However, further tests revealed that some scripts attempting to create DOM elements and directly alter their content were blocked by the browser. To evade this restriction, MutantBedrog employs additional Trusted-Types injection stages, creating even more complex scenarios to bypass defenses.
After a thorough analysis of the case, experts concluded that the issue was not a browser bug. According to specifications, Content Security Policies do not extend to iframes loaded via network requests, which creates an opportunity for exploitation if the iframe content comes from a trusted source.
This case illustrates that even advanced security mechanisms, such as CSP and Trusted-Types, can be vulnerable to circumvention in the context of sophisticated attacks. Technically adept adversaries, like MutantBedrog, are actively probing and exploiting weaknesses in browser security mechanisms, underscoring the need for constant improvements to these technologies to counter emerging threats.
