A malvertising campaign that has been active for more than a year is using fingerprinting to target users with a variety of payloads, Malwarebytes security researchers warn.
Dubbed RoughTed, this large malvertising operation peaked in March 2017, with its domains accumulating over half a billion visits in the past 3 months alone. Unique to it is the fact that it has a broad scope, ranging from scams to exploit kits, and that it delivers payloads based on user’s operating system, browser, and geolocation.
The campaign also uses effective techniques to triage visitors and bypass ad-blockers, which explains the large success it has seen so far. RoughTed’s operators have been using the Amazon cloud infrastructure, particularly the Content Delivery Network (CDN) and multiple ad redirections from several ad exchanges, the security firm says.
With traffic coming from thousands of publishers, some of which are ranked in Alexa’s top 500 websites, the campaign blended in and made it more difficult to identify the source of malvertising, Malwarebytes’ Jérôme Segura reveals.
Upon initial detection, the campaign was redirecting to the Magnitude exploit kit, but started redirecting to the RIG exploit kit just days later. The researchers then identified the same pattern on a hundred other domains, most of which he says were purchased through registrar EvoPlus in small batches with a new .ru or .ua email address each time.
While analyzing the traffic for the RoughTed campaign, Segura discovered that the bulk of it was coming from video or file sharing sites closely intertwined with URL shorteners. These sites enjoy high traffic but have low standards when it comes to quality and safety of online advertising, Segura points out.
The campaign was also associated with an ad code script from advertising company Ad-Maven, which webmasters knowingly integrated into personal websites for monetization purposes. The script contains an algorithm to generate future Amazon S3 URLs, though buckets are created only for the next 3-5 days.
The code also stands out due to its fingerprinting functionality and the use of a technique called ‘canvas fingerprinting’. “The point is to profile users with great granularity and identify those that may be cheating the system by lying about their browser or geolocation,” the researcher explains.
What’s more, the redirections to RoughTed domains were found to happen even when ad-blockers such as Adblock Plus, uBlock origin or AdGuard were used. In an incident involving Google Chrome, the researcher found that the browser hijacking took place as soon as the user clicked anywhere on the first visited page.
“This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts,” the researcher says.
As part of the campaign, users were tricked with a fake Flash Player update that targets Mac, or with a bogus Java update for Windows, which instead is laced with adware. Bogus Chrome extensions are also part of it, leveraging the popularity of the browser, along with undesired redirections to iTunes/app store, tech support scams, or surveys and other scams.
The RoughTed campaign also redirected to exploit kits, mainly when it came to users in the US and Canada, but also those in the U.K., Italy, Spain, and Brazil. Used exploit kits included RIG, which in turn served the Ramnit banking Trojan, along with Magnitude, which eventually dropped the Cerber ransomware onto compromised systems.