惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

AWS News Blog
AWS News Blog
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
T
Threat Research - Cisco Blogs
NISL@THU
NISL@THU
S
Secure Thoughts
L
LINUX DO - 最新话题
S
Securelist
C
CXSECURITY Database RSS Feed - CXSecurity.com
C
Cybersecurity and Infrastructure Security Agency CISA
Recent Announcements
Recent Announcements
S
Schneier on Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cyberwarzone
Cyberwarzone
宝玉的分享
宝玉的分享
Last Week in AI
Last Week in AI
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
雷峰网
雷峰网
Security Archives - TechRepublic
Security Archives - TechRepublic
V
Vulnerabilities – Threatpost
T
Tor Project blog
GbyAI
GbyAI
B
Blog
博客园 - 司徒正美
博客园 - 叶小钗
Recorded Future
Recorded Future
F
Fortinet All Blogs
Spread Privacy
Spread Privacy
IT之家
IT之家
Forbes - Security
Forbes - Security
L
Lohrmann on Cybersecurity
有赞技术团队
有赞技术团队
博客园 - 聂微东
A
Arctic Wolf
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Blog of Author Tim Ferriss
N
News and Events Feed by Topic
O
OpenAI News
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
Martin Fowler
Martin Fowler
WordPress大学
WordPress大学
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
TaoSecurity Blog
TaoSecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Jerome Segura – ThreatDown by Malwarebytes

WorkersDevBackdoor and MadMxShell converge in malvertising campaigns SmartApeSG walkthrough ClearFake walkthrough - ThreatDown by Malwarebytes Gootloader walkthrough - ThreatDown by Malwarebytes Threat actors ride the hype for newly released Arc browser - ThreatDown by Malwarebytes FakeBat - ThreatDown by Malwarebytes Nitrogen - ThreatDown by Malwarebytes LockBit Black - ThreatDown by Malwarebytes Corporate users targeted via malicious ads and modals - ThreatDown by Malwarebytes
A peek inside a malvertising campaign - ThreatDown by Malwarebytes
Jerome Segura · 2024-05-13 · via Jerome Segura – ThreatDown by Malwarebytes

We look at the tools and services threat actors are using and abusing to distribute malware via online ads.

As threat actors continue to rely on the use of online ads to distribute malware (malvertising), we are learning more about their tactic, techniques and procedures (TTPs). There are a number of elements in the attack chain that defenders can disrupt by reporting, taking down or creating detection rules.

While many security companies tend to focus on the malicious infrastructure and malware payloads, few have documented what happens within the broader malvertising ecosystem. To be fair, there is not a lot of information readily available to quantify such attacks. Certainly, advertising and analytic platforms must collect a lot of very interesting data points, but these are seldom shared publicly.

In this blog post, we explore some of the techniques and services used and abused in a typical malvertising campaign. Of course, the TTPS may vary quite a bit from one threat actor to the next, but generally speaking we often see very similar approaches.

Disclaimer: This is by no means a tutorial or invitation to perform malicious activities; the incident described here came from a real attack which was already reported to Google.

Attack overview

Lately, we’ve observed several malicious ads for an IT admin tool called Advanced IP Scanner. One such campaign was noteworthy because the threat actor made a few mistakes that allowed us to gain some insights.

The malicious ad looks authentic, redirects to a decoy website where victims will be tricked into downloading a digitally signed, but malicious executable that installs both Advanced IP Scanner and a loader before downloading and executing the final payload (SecTopRAT).

Malicious ad

The threat actor is using Google Ads to create a malicious ad likely from a hijacked account that they bought from some other criminal. This allows them to benefit from previously established legitimacy and fly under the radar.

Upon creating a new ad campaign, you are instructed to provide a “final URL”. Also known as a landing page in marketing terms, its goal is to convert ad clicks into website traffic thereby increasing the potential to generate sales. Criminals will use a final URL that matches that of the brand they are impersonating (i.e. their official website) to comply with Google’s rules. In practice, they will be able to reroute traffic from the ad to their own malicious URL, thanks to a feature called a tracking template.

A tracking template can be added under the campaign URL options, and is typically used to track analytics related to ad clicks. This is a common practice in the marketing/affiliate space to make sure that visitors are real and unique humans that meet their criteria. A problem arises when such templates are abused to fingerprint visitors and redirect bots, crawlers or validations tools to the real website or a bogus site that is not malicious. In contrast, potential victims will be redirected to a malicious website instead.

As we can see, an ad can be fully customized, from headline to display URL, in a way that can impersonate a brand. For example, you can upload a custom logo that could be the official logo for a well known product.

Once the ad goes live, victims may see it when they perform a search that matches the ad’s keywords and provided that the advertiser won the bidding against other competitors. The way a search results page works is by showing sponsored results at the top and throughout the page. This gives an attacker (or a competitor) an easy way to drive traffic to their own website, while the organic search result will come next. With malvertising, this leads to situations such as the one seen below where victims have little chance but to click on the malicious link.

Cloaking/click tracking

There are a number of legitimate services offered to advertisers to track their marketing campaigns. Google refers to those services as click trackers and maintains the Google Transparent Click Tracker Certification program that helps to protect users from click tracker abuse.

This is directly related to the tracking template URL threat actors are abusing. We can see that the certification program and guidelines are not enough to prevent exploiting this feature. Over time, we have observed certain click tracking companies abused more so than others, perhaps due to their ease of use or cost.

Decoy site

The final destination for a victim is not the so-called final URL, thanks to the click tracker service, but rather an attacker-controlled website. That landing page is meant to trick users into downloading malware, thinking they are downloading the actual program instead.

The attacker created a decoy site that uses a domain name lexically close to the brand to deceive victims that aren’t paying close attention. The site’s content was copied from the official page by using a Chrome extension known as SingleFile. What this means is that the threat actor only needs to upload a single HTML file that contains all the CSS, images, and other web content.

Control panel

The threat actor is tracking traffic to their landing page and recording the date, IP address, country, operating system, browser and user-agent of each visitor. We can see that most victims are from the United States, running Windows 10 and the Chrome web browser.

Here is the breakdown of victims by country generated from the exported file clicks_data.csv:

The following chart records the number of clicks (and actual redirects to the decoy site, excluding crawlers, bots, etc.) on the ad for one day:

The link to the malware payload can be defined directly from the panel:

Payload

It is quite common for attackers to digitally sign their payload as a way to bypass AV detections. Often times, the payloads dropped from such malvertising attacks are “simply” loaders which means that they are included in the overall service (malicious ad + decoy site + loader). A customer will choose to add their own malware payload (SecTopRAT here).

Conclusion

This blog post provided an overview into a malvertising campaign by showing some of the techniques, tools and services used by a threat actor. For the past couple of years, Google search ads have been consistently exploited to deliver malware to users looking to download business, productivity or communication programs.

ThreatDown researchers track and report the different components involved in malvertising attacks. As we cannot control if or when malicious ads and infrastructure will be taken down, we first and foremost provide protection to our customers.