A new phishing-as-a-service (PaaS) tool named ‘Matrix Push’ has been identified by cybersecurity researchers at Resecurity. This command-and-control (C2) tool is designed to hijack browser push notifications as a mechanism for credential theft. The tool is sold to cybercriminals on a subscription basis via the Telegram messaging platform.
The core of the Matrix Push operation involves deceiving users into subscribing to malicious notifications, which are later used to deliver phishing links directly to their browsers.
Attack Technique: Browser-in-the-Browser and Service Workers
Matrix Push employs a ‘browser-in-the-browser’ (BitB) attack technique to initiate the infection. The process begins when a user visits a website that triggers a fake pop-up window. This window is crafted to appear as a legitimate notification from a trusted domain, such as microsoft.com, asking the user for permission to show notifications.
If the user clicks ‘Allow,’ the tool registers a malicious service worker within their web browser. This service worker establishes a persistent communication channel that the attacker controls. This channel enables the operator to send customized push notifications directly to the victim’s system, even when the original website is no longer open.
C2 Dashboard and Credential Harvesting
The Matrix Push C2 tool provides its operators with a web-based dashboard to manage their campaigns. This dashboard displays statistics on compromised users, including their IP address, operating system, and browser version. From this panel, attackers can craft and deploy malicious push notifications designed to look like legitimate alerts, such as a security warning from Microsoft 365.
When a victim clicks on one of these fraudulent notifications, they are redirected to a phishing landing page. This page is built to capture sensitive information by mimicking a real login portal, ultimately harvesting the user’s credentials for the targeted service.
Concise Cyber 