Assessment: Since January 2022, we have seen a huge spike in a malicious ad campaign that does forceful automatic page redirection and deceives the user by looking similar to anti-virus companies like McAfee. Initially, the malicious ad loads and simultaneously executes the heavily obfuscated javascript in the background which contains malicious code that carries out this fake antivirus redirect attack. This is been a particularly advanced redirect attack because it actively looks for anti-malvertising vendors and has affected over 500 domains.
Ad Images:
Landing Page Screenshots:
Malicious Tactics Used:
- Obfuscation
- Device Fingerprinting
- Sandbox Detection
Affected Platform: Google Ad Exchange
In one example of this malicious ad, the obfuscated bad javascript code is coming through "https://media[.]aso1[.]net/storage/1/7/9/17990c17291a58844865bdd7f0b818cbe561700d/index[.]html"
When the malicious ad is displayed to user, the ad simultaneously loads and executes "https://media[.]aso1[.]net/storage/1/7/9/17990c17291a58844865bdd7f0b818cbe561700d/index[.]html" in the background.
The threat actor has heavily obfuscated the malicious code to evade detection and carry out the redirect attack. Thus making it difficult for malware researchers to de-obfuscate and understand the malware behavior. Threat actors always use a wide variety of techniques for obfuscating the malicious code. In our case, they've used the "CryptoJS AES Encryption" technique for obfuscation.
var decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase");
CryptoJS supports AES-128, AES-192, and AES-256. It will pick the variant by the size of the key you pass in. If you use a passphrase, then it will generate a 256-bit key. In order to decrypt the malicious code, we may need a decryption key which is present in the code itself.
The malicious code creates a canvas element and does some hashing process on the executed real time machine and compares the generated hash value with the hard coded list of hash values. They won't carry out the redirect if the hashes match.
If the code finds any anti-malvertising vendors, they try to void the following entities on the current frame and also on the main parent frame which means they don't run these functions when they find any anti-malvertising vendors present on the creative.
Disabled Items:
- XMLHttpRequest
- navigator.sendBeacon
- postMessage
- Image
- Request
- fetch
They have used an "ontouchstart" event that will get triggered once the element is touched which happens only on mobile touch environments. From this, we can understand that the threat actor targets mobile phones. The code contains the "getTimezoneOffset" method which is used to return the time difference between Universal Coordinated Time (UTC) and local time, in minutes. By using this method, they can find the timezone/location of the executed ad.
The malicious code listens to some event listeners and checks if the events are from a real user or from some automated testing environment. The malicious redirect happens only when there is a real click/mousedown/scroll/keydown etc.
Upon favorable technical conditions, the malicious javascript code redirects the user to fake McAfee scanning landing pages with a couple of hops in between.
We have seen a concerning volume of ads from this malicious campaign across both desktop and mobile devices.