This is article is intended to provide you with an understanding of how attackers could leverage Web Assembly as part of their tradecraft.

When you get to the end, whether you’re blue team, red team, aspiring to be something or a CISO sat atop a hill of endless spreadsheets of unfiltered, and almost pointless Nessus scans, I want you to leave with the following:

  • insight into offensive Web Assembly tradecraft
  • knowledge of how intended functionality and processes can lead to compromise
  • an understanding of less common browser functionality from within the confines of the browser sanbox

However, you will not leave this article with copy-paste malware, though any experienced, technical security professionals should be able to fill the gaps.

What is Web Assembly

Describe it

After spending a year or so messing around with Web Assembly, I started using it as part of red team engagements. The engagements I was on were not the fancy high end stuff and t…….

Enumeration

What can be enumerated? Why is it useful? IP Graphics card

Vishing with a twist

Vishing can be really hard to execute. You have to really motivated and push through the struggle to eventually make it happen. I’ve found it’s a lot easier if you can get them to call you instead.

This concept is based on malware that I found in the wilderness, which started by redirecting the me to a different page via XSS. The redirect to me a really crude attempt at a tech support scam which I’ve detailed in another article and adapted what I’d learned for Web Assembly : Workerbombs.





## A ghostly dropper

There's an anxiety like no other; the space in time between dropping a payload and its execution. 

On Windows you have to contend with SmartScreen, which will show similar to the below screenshot putting an end to your feeble efforts at getting a beacon to call home:




    Description
    



It restricts the execution of that file in many different ways and is generally an effective defence. When downloaded the file is marked with a zone identifier like the image below and this dictates its execution:




    Description
    



The same would apply if you were on a machine a trying to access your payloads. To get around SmartScreen, an attacker would need to move beyond the browser's download API, with the exception of some known file types that are excluded and bypass it by default.

### Enter Smuggling

Emscripten offers functionality file storage functionality IDBFS to create a directory/mount point in the browser's storage, which has a limit of around 1GB though that will take a while to download. 

In windows and EDGE this content is placed into a levelDB database at the following location:

`$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\IndexedDB`

FireFox uses a Sqlite database and is really easy to connect to and dump. 
As you'd expect, the databases are locked when in use, so would require:
 
- hooking various functions 
- terminating/restarting the browser
- VSSAdmin and the permissions to use it is beyond the scope of this article
- being a subprocess of the browser process that the DB is locked to.

For the purposes of this demonstration, the log files will do.