Connect with us

Hi, what are you looking for?


Malware & Threats

New Attack Runs Code After Closing Browser Tab

A group of researchers has discovered that websites can abuse modern browser APIs to persistently abuse browser resources for nefarious operations even after their tabs or windows have been closed. 

A group of researchers has discovered that websites can abuse modern browser APIs to persistently abuse browser resources for nefarious operations even after their tabs or windows have been closed. 

To demonstrate the attack, researchers from FORTH (Foundation for Research and Technology), Greece, and Stony Brook University, U.S., built MarioNet, a framework that allows a malicious third party to control the visitor’s browser for cryptocurrency mining, password-cracking, and distributed denial of service (DDoS) attacks. 

In a paper (PDF) detailing the attack, the researchers explain that MarioNet relies solely on already available HTML5 APIs and that it does not require the installation of additional software. This also means that it can be used on all major browsers. 

The attack is both persistent and stealthy, as it continues in the background of the browser even after the user closes the window or tab of the malicious website. However, it cannot survive browser reboots. 

“MarioNet goes beyond existing approaches and demonstrates how malicious publishers can launch persistent and stealthy attacks. This is possible by allowing malicious actors to continue having control of the victim’s browser even after the user browses away from a malicious or infected website, and by bypassing most of the existing in-browser detection mechanisms,” the paper reads. 

The framework has two main parts, namely an in-browser component and a remote command and control system. Unlike typical botnets, MarioNet doesn’t exploit implementation flaws on the target system, but relies on JavaScript capabilities and HTML5 APIs, which makes it compatible with most desktop and mobile browsers. 

Courtesy of isolation from the visited website, the system allows fine-grained control of the utilized resources and can continue its operation in the background even after the parent tab was closed, thus achieving persistence. Moreover, it can avoid detection by browser extensions that try to monitor the webpage’s activity or outgoing communication, the researchers note. 

Possible defense mechanisms include restricting or disabling service workers, or restricting the browser from fetching and deploying service workers, or requiring the user’s permission for the registration and activation of a service worker. Signature-based detection and behavioral analysis and anomaly detection systems should also prevent such attacks. 

Advertisement. Scroll to continue reading.

The attack can be launched through malicious websites, compromised domains, and through dynamic content in iframes, meaning that it is actually easy for an attacker to leverage it, the researchers say. 

“Essentially, our work demonstrates that the trust model of web, which considers web publishers as trusted and allows them to execute code on the client-side without any restrictions is flawed and needs reconsideration,” the paper reads. 

Related: Websites Can Exploit Browser Extensions to Steal User Data

Related: Ad Network Performs In-Browser Cryptojacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.