New Matrix Push C2 Abuses Push Notifications to Deliver Malware
Summary:
Matrix Push C2 is a browser-native, fileless command-and-control platform that actors are using to deliver malware and conduct phishing attacks. According to BlackFrog, Matrix Push C2 abuses the web push notification system (a legitimate browser feature) as a command-and-control (C2) channel.
“This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” note researchers.
In these attacks, actors will first trick users into allowing browser notifications, usually through fake prompts on malicious or compromised websites. Once the user accepts, the actor gains a direct line to the user’s desktop or mobile via the browser. The attacker can then push out fake errors or notifications that appear legitimate, such as “Update required! Please update Google Chrome to avoid data loss!” Interacting with the notifications directs victims to bogus sites designed to harvest credentials or initiate malware downloads.
Matrix Push C2 operates as a malware-as-service kit that is sold via cybercriminal channels. The tool is accessed through a web-based dashboard that allows actors to send notifications, track victims in real-time, monitor interactions such as notification clicks, create shortened links using a built-in URL shortening service, and even record installed browser extensions, including cryptocurrency wallets. It also comes loaded with configurable templates, allowing actors to theme their phishing notifications and landing pages to impersonate well-known companies like Netflix, Cloudflare, PayPal, TikTok, etc.
Security Officer Comments:
Matrix Push C2 highlights a shift in how actors are gaining access to victim systems. Rather than relying on traditional malware delivery methods such as malicious attachments in emails, actors are now exploiting push notifications, a standard web browser feature. Because the victim is interacting with the browser’s notification system, no traditional malware file needs to be present on the system initially, effectively allowing the actors to bypass many traditional security defenses.
Suggested Corrections:
Users should be careful when enabling push notifications while browsing the web, as such access could allow actors to push out unwanted error messages or security alerts that look legitimate. On browsers like Chrome, you can completely turn off such notifications by following the instructions below:
https://www.blackfog.com/new-matrix-push-c2-deliver-malware/
Matrix Push C2 is a browser-native, fileless command-and-control platform that actors are using to deliver malware and conduct phishing attacks. According to BlackFrog, Matrix Push C2 abuses the web push notification system (a legitimate browser feature) as a command-and-control (C2) channel.
“This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” note researchers.
In these attacks, actors will first trick users into allowing browser notifications, usually through fake prompts on malicious or compromised websites. Once the user accepts, the actor gains a direct line to the user’s desktop or mobile via the browser. The attacker can then push out fake errors or notifications that appear legitimate, such as “Update required! Please update Google Chrome to avoid data loss!” Interacting with the notifications directs victims to bogus sites designed to harvest credentials or initiate malware downloads.
Matrix Push C2 operates as a malware-as-service kit that is sold via cybercriminal channels. The tool is accessed through a web-based dashboard that allows actors to send notifications, track victims in real-time, monitor interactions such as notification clicks, create shortened links using a built-in URL shortening service, and even record installed browser extensions, including cryptocurrency wallets. It also comes loaded with configurable templates, allowing actors to theme their phishing notifications and landing pages to impersonate well-known companies like Netflix, Cloudflare, PayPal, TikTok, etc.
Security Officer Comments:
Matrix Push C2 highlights a shift in how actors are gaining access to victim systems. Rather than relying on traditional malware delivery methods such as malicious attachments in emails, actors are now exploiting push notifications, a standard web browser feature. Because the victim is interacting with the browser’s notification system, no traditional malware file needs to be present on the system initially, effectively allowing the actors to bypass many traditional security defenses.
Suggested Corrections:
Users should be careful when enabling push notifications while browsing the web, as such access could allow actors to push out unwanted error messages or security alerts that look legitimate. On browsers like Chrome, you can completely turn off such notifications by following the instructions below:
- Click the three dots button in the upper right-hand corner of the Chrome menu to enter the Settings menu.
- Select Privacy and Security.
- Click Site settings.
- Select Notifications.
- By default, the option is set to Sites can ask to send notifications. Change to Don’t allow sites to send notifications if you want to block everything.
https://www.blackfog.com/new-matrix-push-c2-deliver-malware/