Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Large Malvertising Campaign Delivers Array of Payloads

A malvertising campaign that has been active for more than a year is using fingerprinting to target users with a variety of payloads, Malwarebytes security researchers warn.

A malvertising campaign that has been active for more than a year is using fingerprinting to target users with a variety of payloads, Malwarebytes security researchers warn.

Dubbed RoughTed, this large malvertising operation peaked in March 2017, with its domains accumulating over half a billion visits in the past 3 months alone. Unique to it is the fact that it has a broad scope, ranging from scams to exploit kits, and that it delivers payloads based on user’s operating system, browser, and geolocation.

The campaign also uses effective techniques to triage visitors and bypass ad-blockers, which explains the large success it has seen so far. RoughTed’s operators have been using the Amazon cloud infrastructure, particularly the Content Delivery Network (CDN) and multiple ad redirections from several ad exchanges, the security firm says.

With traffic coming from thousands of publishers, some of which are ranked in Alexa’s top 500 websites, the campaign blended in and made it more difficult to identify the source of malvertising, Malwarebytes’ Jérôme Segura reveals.

Upon initial detection, the campaign was redirecting to the Magnitude exploit kit, but started redirecting to the RIG exploit kit just days later. The researchers then identified the same pattern on a hundred other domains, most of which he says were purchased through registrar EvoPlus in small batches with a new .ru or .ua email address each time.

While analyzing the traffic for the RoughTed campaign, Segura discovered that the bulk of it was coming from video or file sharing sites closely intertwined with URL shorteners. These sites enjoy high traffic but have low standards when it comes to quality and safety of online advertising, Segura points out.

The campaign was also associated with an ad code script from advertising company Ad-Maven, which webmasters knowingly integrated into personal websites for monetization purposes. The script contains an algorithm to generate future Amazon S3 URLs, though buckets are created only for the next 3-5 days.

The code also stands out due to its fingerprinting functionality and the use of a technique called ‘canvas fingerprinting’. “The point is to profile users with great granularity and identify those that may be cheating the system by lying about their browser or geolocation,” the researcher explains.

Advertisement. Scroll to continue reading.

What’s more, the redirections to RoughTed domains were found to happen even when ad-blockers such as Adblock Plus, uBlock origin or AdGuard were used. In an incident involving Google Chrome, the researcher found that the browser hijacking took place as soon as the user clicked anywhere on the first visited page.

“This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts,” the researcher says.

As part of the campaign, users were tricked with a fake Flash Player update that targets Mac, or with a bogus Java update for Windows, which instead is laced with adware. Bogus Chrome extensions are also part of it, leveraging the popularity of the browser, along with undesired redirections to iTunes/app store, tech support scams, or surveys and other scams.

The RoughTed campaign also redirected to exploit kits, mainly when it came to users in the US and Canada, but also those in the U.K., Italy, Spain, and Brazil. Used exploit kits included RIG, which in turn served the Ramnit banking Trojan, along with Magnitude, which eventually dropped the Cerber ransomware onto compromised systems.

Related: Malvertising Campaign Targets Adult Websites to Distribute Ramnit Worm

Related: Malvertising Jumped 132% in 2016: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.