Malicious advertisements

Major malware tactics used

• Device fingerprinting

Malicious behavior 

The threat actor has created a group of several malvertising campaigns that follow the same attack/execution pattern. The creative markup contains the initial first stage malicious JavaScript code hardcoded inside it. When the creative gets executed, the malicious code also gets simultaneously executed in the background without any user intervention. 

This time the first stage malicious JavaScript loader isn’t obfuscated which becomes easy for malware researchers to debug and understand the malicious code flow. They have multiple functions to collect user device information and the bad threat actor creates a second stage unique malicious JavaScript long URL, which automatically redirects and deceives the end user by showing fake Walmart/Google search reward pop-ups. Sometimes, based on the geo-location, the user gets redirected to multiple fake adult dating websites too. 

Sample malicious JavaScript function that collects user timezone location and CPU information. 

Malicious landing pages

In one example of this malicious ad, the obfuscated bad javascript code is coming through "https://media[.]aso1[.]net/storage/1/7/9/17990c17291a58844865bdd7f0b818cbe561700d/index[.]html"

When the malicious ad is displayed to user, the ad simultaneously loads and executes "https://media[.]aso1[.]net/storage/1/7/9/17990c17291a58844865bdd7f0b818cbe561700d/index[.]html" in the background. 

The threat actor has heavily obfuscated the malicious code to evade detection and carry out the redirect attack. Thus making it difficult for malware researchers to de-obfuscate and understand the malware behavior. Threat actors always use a wide variety of techniques for obfuscating the malicious code. In our case, they've used the "CryptoJS AES Encryption" technique for obfuscation. 

var decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase");

CryptoJS supports AES-128, AES-192, and AES-256. It will pick the variant by the size of the key you pass in. If you use a passphrase, then it will generate a 256-bit key. In order to decrypt the malicious code, we may need a decryption key which is present in the code itself. 

The malicious code creates a canvas element and does some hashing process on the executed real time machine and compares the generated hash value with the hard coded list of hash values. They won't carry out the redirect if the hashes match.

If the code finds any anti-malvertising vendors, they try to void the following entities on the current frame and also on the main parent frame which means they don't run these functions when they find any anti-malvertising vendors present on the creative. 

Disabled Items:

• XMLHttpRequest
• navigator.sendBeacon
• postMessage
• Image
• Request
• fetch

They have used an "ontouchstart" event that will get triggered once the element is touched which happens only on mobile touch environments. From this, we can understand that the threat actor targets mobile phones. The code contains the "getTimezoneOffset" method which is used to return the time difference between Universal Coordinated Time (UTC) and local time, in minutes. By using this method, they can find the timezone/location of the executed ad.

The malicious code listens to some event listeners and checks if the events are from a real user or from some automated testing environment. The malicious redirect happens only when there is a real click/mousedown/scroll/keydown etc.

Upon favorable technical conditions, the malicious javascript code redirects the user to fake McAfee scanning landing pages with a couple of hops in between. 

We have seen a concerning volume of ads from this malicious campaign across both desktop and mobile devices.