A new command and control (C2) platform called Matrix Push C2 is being used by cybercriminals to distribute malware, taking advantage of a legitimate feature of web browsers: push notifications.
According to a report by BlackFrog, this malicious platform tricks users with fake system notifications, redirects them to malicious websites, monitors victims in real time, and scans for cryptocurrency wallets.
How Does the Matrix Push C2 Attack Work?
Matrix Push C2 abuses the browser’s push notification system to create a C2 communication channel. The attack process takes place in several stages:
- Social Engineering: Attackers trick users into allowing browser notifications, usually through social engineering into compromised or malicious websites.
- C2 Establishment: Once the user subscribes, a direct line is established to the victim’s desktop or mobile device through the browser.
- False Content Delivery: Cybercriminals send legitimate-looking error messages and security alerts that appear to come from the operating system or trusted software.
- Malicious Redirect: If the victim clicks on these fake notifications, they are redirected to a website controlled by the attacker, which is often a phishing page or a malware download site.
BlackFrog describes this technique as a “fileless” attack because the initial interaction occurs through the browser’s notification system, eliminating the need for a traditional malware file on the system.
Features of the Matrix Push C2 Platform
The Matrix Push C2 platform operates through a web-based control panel that provides attackers with advanced capabilities:
- Operating System Independence: Since it operates through standard browser technology, the threat is not limited to a single operating system (Windows, Mac, Linux, Android, etc.).
- Real-Time Monitoring: The campaign dashboard displays an active customer panel, providing the attacker with detailed information about each victim in real-time. This allows for a more targeted and dangerous attack, as the attacker has a live connection to the victim’s browser.
- Configurable Templates: To increase the credibility of fake messages, Matrix Push C2 includes configurable templates from well-known brands such as MetaMask, Netflix, Cloudflare, PayPal and TikTok. These templates are designed to imitate legitimate security notifications from such providers.
- Link Management: The platform allows attackers to generate short and harmless URLs that redirect to the real malicious site. This helps evade security filters and reduces victims’ skepticism of long and suspicious links.
Conclusions and Recommendations
The use of push notifications as a C2 channel represents an evolution in social engineering tactics, taking advantage of users’ trust in browser alerts. To counter this threat, BlackFrog recommends the use of anti-data exfiltration (ADX) technology, which focuses on blocking unauthorized outgoing traffic from the system.