www.malwarebytes.com
Open in
urlscan Pro
2600:9000:223c:8600:16:26c7:ff80:93a1
Public Scan
URL:
https://www.malwarebytes.com/blog/threat-intelligence/2023/08/malvertisers-up-the-game-against-researchers
Submission: On August 21 via manual from HK — Scanned from DE
Submission: On August 21 via manual from HK — Scanned from DE
Form analysis
2 forms found in the DOMGET
<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query">
<svg class="svg-icon svg-stroke-mwb-blue svg-search">
<use href="/images/component-project/templates/blog/blog-svg.svg#svg-search"></use>
</svg>
</button>
</div>
</form>
/newsletter/
<form class="newsletter-form form-inline" action="/newsletter/">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>
Text Content
Personal Personal * Products * Malwarebytes Premium > * Malwarebytes Privacy VPN > * Malwarebytes Premium + Privacy VPN > * Malwarebytes Browser Guard > * Malwarebytes for Teams/small offices > * AdwCleaner for Windows > * * Have a current computer infection? CLEAN YOUR DEVICE NOW * * Solutions * Free antivirus > * Free virus scan & removal > * Windows antivirus > * Mac antivirus > * Android antivirus > * iOS security > * Chromebook antivirus > * * SEE PERSONAL PRICING * * MANAGE YOUR SUBSCRIPTION * * VISIT OUR SUPPORT PAGE Business Business * Solutions * BY COMPANY SIZE * Small Businesses * 1-99 Employees * Mid-size Businesses * 100-999 Employees * Large Enterprise * 1000+ Employees * BY INDUSTRY * Education * Finance * Healthcare * Government * Products * CLOUD-BASED SECURITY MANAGEMENT * Endpoint Protection * Endpoint Protection for Servers * Endpoint Detection & Response * Endpoint Detection & Response for Servers * Incident Response * Nebula Platform Architecture * Mobile Security * CLOUD-BASED SECURITY MODULES * DNS Filtering * Vulnerability & Patch Management * Remediation Connector Solution * Application Block * SECURITY SERVICES * Managed Detection and Response * Cloud Storage Scanning Service * Malware Removal Service * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS * For Teams * Get Started * * Find the right solution for your business * See business pricing -------------------------------------------------------------------------------- * Don't know where to start? * Help me choose a product -------------------------------------------------------------------------------- * See what Malwarebytes can do for you * Get a free trial -------------------------------------------------------------------------------- * Our sales team is ready to help. Call us now * +49 (800) 723-4800 Pricing Partners Partners * Explore Partnerships * Partner Solutions * Resellers * Managed Service Providers * Computer Repair * Technology Partners * Affiliate Partners * Contact Us * Partner Success Story * Marek Drummond Managing Director at Optimus Systems "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected." * See full story Resources Resources * Learn About Cybersecurity * Antivirus * Malware * Ransomware * Malwarebytes Labs – Blog * Glossary * Threat Center * Business Resources * Reviews * Analyst Reports * Case Studies * Press & News * Reports * The State of Malware 2023 Report * See Report Support Support * Technical Support * Personal Support * Business Support * Premium Services * Forums * Vulnerability Disclosure * Report a False Positive * Product Videos * * Featured Content * Activate Malwarebytes Privacy on Windows device. * See Content FREE DOWNLOAD CONTACT US CONTACT US * Personal Support * Business Support * Talk to Sales * Contact Press * Partner Programs * Submit Vulnerability COMPANY COMPANY * About Malwarebytes * Careers * News & Press SIGN IN SIGN IN * MyAccount: manage your personal/Teams subscription > * Cloud Console: manage your cloud business products > * Partner Portal: management for Resellers and MSPs > SUBSCRIBE Threat Intelligence MALVERTISERS UP THEIR GAME AGAINST RESEARCHERS Posted: August 16, 2023 by Jérôme Segura Malicious ads via search engine results page are getting harder to identify thanks to advanced fingerprinting techniques Threat actors constantly take notice of the work and takedown efforts initiated by security researchers. In this constant game of cat and mouse chasing, tactics and techniques keep evolving from simple to more complex, and more covert. This is a trend we have observed time and time again, no matter the playing field, from exploit kits to credit card skimmers. As defenders, we may have mixed reactions: on the one hand, as technical people we naturally appreciate a well-written exploit or piece of code and the challenge it creates. There is something about it that sparks our interest and curiosity. On the other hand, we know that the people behind it have bad intentions and intend on doing harm. In today's blog post, we look at a recent malvertising chain that started using a more advanced cloaking technique to remain under the radar. Based on our tracking, it is a new trend for these malvertising campaigns dropping infostealers and other malware used by initial access brokers in ransomware operations. MALICIOUS AD AND CLOAKING Threat actors continue to target certain IT programs such as remote access programs and scanners by creating ads that are displayed on popular search engines such as Google. The ad below is for the Advanced IP scanner tool and was found when performing a Google search from a US IP address. Figure 1: Malicious ad on Google for Advanced IP Scanner The domain name advnced-lp-scanner[.]com may look legitimate but it is not. It was registered on Jul 30 2023 and is hosted on a server in Russia at 185.11.61[.]65. If you were to investigate this ad, you would likely open it up in a virtual machine and see what it leads to. One of the most common checks that is done by threat actors is a simple server-side IP check to determine whether you are running a VPN or proxy or have visited the site before. That means that as researchers we need to constantly find new IP addresses that look legitimate and then revisit the page again. Interestingly, even with a fresh IP address the landing page looked innocent. This can happen for different reasons, for example if the threat actor is in the process of setting up the site and hasn't finished swapping it to the malicious version. Or it could also be that the time of day is not in line with when the attacker is making the switch. Figure 2: Decoy page without any malware to download ADVANCED FINGERPRINTING Looking closer at the network requests from the ad to the web server we saw new code that looked suspicious. This is Base64 encoded JavaScript that is loaded before anything else on the page. In fact, this client-side request was performed after a server-side IP check to determine if your IP address was clean. In other words, this is another layer that needs to be processed before we get to see what we are looking for. Figure 3: Suspicious Base64-encoded code We can deobfuscate this code using CyberChef and further beautify it to see what it does. Here are some of those checks: * browser properties such as window and screen size * time zone (difference between UTC and local time) * browser rendering capabilities related to video card driver * MIME type for MP4 file format Figure 4: Decoded fingerprinting script Many tools used by researchers are scripted in Python and will fail the test. Same goes for virtual machines, the WEBGL_debug_renderer_info API can help to detect if you are using virtualization such as VMware or VirtualBox. The data that is collected from visitors is then sent back to the attacker's website via a POST request for further parsing and to determine what action to take next. Figure 5: POST request sending victim's details to attacker Below is the web traffic view of a successful redirection to the malicious page where the victim can download the malware payload. Figure 6: Web traffic from malicious ad to payload page And this is the malware landing page: Figure 7: Malware landing page after successfully passing the fingerprinting checks We can now collect the payload and make sure that it is detected. CONCLUSION By using better filtering before redirecting potential victims to malware, threat actors ensure that their malicious ads and infrastructure remain online longer. Not only does it make it more difficult for defenders to identify and report such events, it also likely has an impact on takedown actions. In the majority of cases where we have reported malvertising incidents, the abused platform needs to validate the information before taking action against the advertiser. This makes sense as reports could be erroneous and lead to advertising accounts being suspended unjustly. However, it also means that while an incident is being investigated and reproduced (which could take hours), people will click on those ads and download malware. As we continue to report malvertising campaigns, we improve our understanding of the threat actors' TTPs and adjust our toolsets accordingly. Any intelligence gathered is shared within our products and ultimately delivered to Malwarebytes customers via web and malware protection updates to ensure they remain protected. SHARE THIS ARTICLE -------------------------------------------------------------------------------- COMMENTS -------------------------------------------------------------------------------- RELATED ARTICLES News ATTACKERS DEMAND RANSOMS FOR STOLEN LINKEDIN ACCOUNTS August 18, 2023 - LinkedIn support channels are being swamped by users that have been locked out of their accounts. CONTINUE READING 0 Comments Exploits and vulnerabilities | News PATCH NOW! CITRIX SHAREFILE JOINS THE LIST OF ACTIVELY EXPLOITED FILE SHARING SOFTWARE August 18, 2023 - Citrix ShareFile can be exploited remotely by unauthenticated attackers. CONTINUE READING 0 Comments Exploits and vulnerabilities | News EXCHANGE SERVER SECURITY UPDATES UPDATED August 18, 2023 - Microsoft Exchange Server administrators may have to install a re-released security patch CONTINUE READING 0 Comments Threat Intelligence CATCHING UP WITH WOOFLOCKER, THE MOST ELABORATE TRAFFIC REDIRECTION SCHEME TO TECH SUPPORT SCAMS August 17, 2023 - This tech support scam is one of the most long running and covert ones we have ever seen. CONTINUE READING 0 Comments Exploits and vulnerabilities | News CITRIX NETSCALERS BACKDOORED IN WIDESPREAD EXPLOITATION CAMPAIGN August 17, 2023 - Researchers have found almost 2000 backdoored Citrix NetScalers, many of which were patched after the backdoor in the form of a web shell was dropped. CONTINUE READING 0 Comments -------------------------------------------------------------------------------- ABOUT THE AUTHOR Jérôme Segura Director of Threat Intelligence A special interest for web threats. Contributors Threat Center Podcast Glossary Scams Cyberprotection for every one. Cybersecurity info you can't do without Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats. Cyberprotection for every one. FOR PERSONAL Windows Antivirus Mac Antivirus Android Antivirus Free Antivirus VPN App (All Devices) Malwarebytes for iOS SEE ALL COMPANY About Us Contact Us Careers News and Press Blog Scholarship Forums FOR BUSINESS Small Businesses Mid-size Businesses Large Enterprise Endpoint Protection Endpoint Detection & Response Managed Detection and Response (MDR) FOR PARTNERS Managed Service Provider (MSP) Program Resellers MY ACCOUNT Sign In SOLUTIONS Free Rootkit Scanner Free Trojan Scanner Free Virus Scanner Free Spyware Scanner Free Password Generator Anti Ransomware Protection ADDRESS 3979 Freedom Circle 12th Floor Santa Clara, CA 95054 ADDRESS One Albert Quay 2nd Floor Cork T12 X8N6 Ireland LEARN Malware Hacking Phishing Ransomware Computer Virus Antivirus What is VPN? COMPANY About Us Contact Us Careers News and Press Blog Scholarship Forums MY ACCOUNT Sign In ADDRESS 3979 Freedom Circle, 12th Floor Santa Clara, CA 95054 ADDRESS One Albert Quay, 2nd Floor Cork T12 X8N6 Ireland English Legal Privacy Accessibility Vulnerability Disclosure Terms of Service © 2023 All Rights Reserved Select your language * English * Deutsch * Español * Français * Italiano * Português (Portugal) * Português (Brasil) * Nederlands * Polski * Pусский * 日本語 * Svenska New Buy Online Partner Icon Warning Icon Edge icon This site uses cookies in order to enhance site navigation, analyze site usage and marketing efforts. Please see our privacy policy for more information. Privacy Policy Cookies Settings Decline All Accept All Cookies PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. Privacy Policy Allow All MANAGE CONSENT PREFERENCES STRICTLY NECESSARY Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Cookies Details PERFORMANCE AND FUNCTIONALITY Performance and Functionality These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details SOCIAL MEDIA Social Media These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools. Cookies Details ANALYTICS Analytics These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Cookies Details ADVERTISING Advertising These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details Back Button BACK Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label * View Cookies * Name cookie name Decline All Confirm My Choices