Analyzing malicious purposes of WebAssembly

WebAssembly was first proposed in 2017 and was approved as an official W3C (World Wide Web Consortium) standard in the late 2019. WebAssembly is currently supported by all major browsers, both desktop and mobile devices.

WebAssembly was first created for both speed and performance. It introduces a new binary file format for transmitting code from a web server to a browser. When WebAssembly reaches the browser, its code (WASM) is executed with near native speed. Due to its binary machine friendly format, when executing WASM, it’s smaller than its equivalent JavaScript form and also many times faster.

WebAssembly allows websites to run complex CPU intensive code, without freezing a browser due to performance issues. JavaScript, for example, was never designed or optimized for doing.

According to an academic research which was published last year, around half of the websites in the world use it for malicious purposes. 4 researchers from the Technical University in Braunschweig (Germany) looked at WebAssembly’s popularity on Alexa Top 1 Million popular sites from all over the world.

According to the research, the researches measured WebAssembly’s use according to Alexa including the time each site took to run the code. They discovered 1,639 sites loading 1,950 WASM modules, of which 150 were unique samples of code. They concluded that the Wasm modules are popular enough to be found on many different sites. Not only that, but even in one case, the same exact module was present on 346 different sites.

The researches also noticed that on the other hand, 87 samples were completely unique and were found only on one site. This indicates that various modules are a custom development for only one site.

The researches didn’t stop there. They analyzed code and looked at function names and embedded strings. Then, they mapped out clusters of similar code.

According to their findings, the vast majority of code samples they analyzed were used for cryptocurrency mining and online gaming. Though the vast majority of sample codes were used for legitimate purposes, 2 categories of WASM code were different and stood out as inherently malicious.

The first category was Wasm modules used for cryptocurrency mining. This is often found on hacked sites, a part of so called cryptojacking attacks.

The second category referred to WebAssembly code which was packed in a way that WASM modules intentionally hid their content. These can be found as a part of malvertising campaigns.

Many of the WASM code was often reused across multiple domains, as part of a large scale hacking operation. Due to all this, one can see the trend of using WebAssembly code for malicious purposes by gaining traction.

Analyzing malicious purposes of WebAssembly
Analyzing malicious purposes of WebAssembly