www.malwarebytes.com Open in urlscan Pro
2600:9000:223c:8600:16:26c7:ff80:93a1  Public Scan

Form analysis
2 forms found in the DOM

GET

<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query">
      <svg class="svg-icon svg-stroke-mwb-blue svg-search">
        <use href="/images/component-project/templates/blog/blog-svg.svg#svg-search"></use>
      </svg>
    </button>
  </div>
</form>

/newsletter/

<form class="newsletter-form form-inline" action="/newsletter/">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

       
Personal
Personal
 * Products
 * Malwarebytes Premium >
 * Malwarebytes Privacy VPN >
 * Malwarebytes Premium + Privacy VPN >
 * Malwarebytes Browser Guard >
 * Malwarebytes for Teams/small offices >
 * AdwCleaner for Windows >
 *  

 * Have a current computer infection?
   
   CLEAN YOUR DEVICE NOW  

 *  

 * Solutions
 * Free antivirus >
 * Free virus scan & removal >
 * Windows antivirus >
 * Mac antivirus >
 * Android antivirus >
 * iOS security >
 * Chromebook antivirus >
 *  

 * SEE PERSONAL PRICING 

 *  

 * MANAGE YOUR SUBSCRIPTION 

 *  

 * VISIT OUR SUPPORT PAGE 


Business
Business
 * Solutions
 * BY COMPANY SIZE
 * Small Businesses
 *  1-99 Employees 
 * Mid-size Businesses
 *  100-999 Employees
 * Large Enterprise
 *  1000+ Employees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare
 * Government

 * Products
 * CLOUD-BASED SECURITY MANAGEMENT
 * Endpoint Protection
 * Endpoint Protection for Servers
 * Endpoint Detection & Response
 * Endpoint Detection & Response for Servers
 * Incident Response
 * Nebula Platform Architecture
 * Mobile Security
 * CLOUD-BASED SECURITY MODULES
 * DNS Filtering
 * Vulnerability & Patch Management
 * Remediation Connector Solution
 * Application Block
 * SECURITY SERVICES
 * Managed Detection and Response 
 * Cloud Storage Scanning Service 
 * Malware Removal Service
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
 * For Teams

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our sales team is ready to help. Call us now
    * +49 (800) 723-4800

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners
 * Affiliate Partners
 * Contact Us

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * Malwarebytes Labs – Blog
 * Glossary
 * Threat Center

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * Press & News

 * Reports
 * 
   
   
   
   The State of Malware 2023 Report
   

 * See Report

Support
Support
 * Technical Support
 * Personal Support
 * Business Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure
 * Report a False Positive

 *  Product Videos
 * 

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE DOWNLOAD
CONTACT US
CONTACT US
 * Personal Support
 * Business Support
 * Talk to Sales
 * Contact Press
 * Partner Programs
 * Submit Vulnerability

COMPANY
COMPANY
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
SIGN IN
 * MyAccount: manage your personal/Teams subscription >
 * Cloud Console: manage your cloud business products >
 * Partner Portal: management for Resellers and MSPs >

SUBSCRIBE


Threat Intelligence


MALVERTISERS UP THEIR GAME AGAINST RESEARCHERS

Posted: August 16, 2023 by Jérôme Segura

Malicious ads via search engine results page are getting harder to identify
thanks to advanced fingerprinting techniques

Threat actors constantly take notice of the work and takedown efforts initiated
by security researchers. In this constant game of cat and mouse chasing, tactics
and techniques keep evolving from simple to more complex, and more covert.

This is a trend we have observed time and time again, no matter the playing
field, from exploit kits to credit card skimmers. As defenders, we may have
mixed reactions: on the one hand, as technical people we naturally appreciate a
well-written exploit or piece of code and the challenge it creates. There is
something about it that sparks our interest and curiosity. On the other hand, we
know that the people behind it have bad intentions and intend on doing harm.

In today's blog post, we look at a recent malvertising chain that started using
a more advanced cloaking technique to remain under the radar. Based on our
tracking, it is a new trend for these malvertising campaigns dropping
infostealers and other malware used by initial access brokers in ransomware
operations.


MALICIOUS AD AND CLOAKING

Threat actors continue to target certain IT programs such as remote access
programs and scanners by creating ads that are displayed on popular search
engines such as Google. The ad below is for the Advanced IP scanner tool and was
found when performing a Google search from a US IP address.

Figure 1: Malicious ad on Google for Advanced IP Scanner

The domain name advnced-lp-scanner[.]com may look legitimate but it is not. It
was registered on Jul 30 2023 and is hosted on a server in Russia
at 185.11.61[.]65.

If you were to investigate this ad, you would likely open it up in a virtual
machine and see what it leads to. One of the most common checks that is done by
threat actors is a simple server-side IP check to determine whether you are
running a VPN or proxy or have visited the site before. That means that as
researchers we need to constantly find new IP addresses that look legitimate and
then revisit the page again.

Interestingly, even with a fresh IP address the landing page looked innocent.
This can happen for different reasons, for example if the threat actor is in the
process of setting up the site and hasn't finished swapping it to the malicious
version. Or it could also be that the time of day is not in line with when the
attacker is making the switch.

Figure 2: Decoy page without any malware to download


ADVANCED FINGERPRINTING

Looking closer at the network requests from the ad to the web server we saw new
code that looked suspicious. This is Base64 encoded JavaScript that is loaded
before anything else on the page.

In fact, this client-side request was performed after a server-side IP check to
determine if your IP address was clean. In other words, this is another layer
that needs to be processed before we get to see what we are looking for.

Figure 3: Suspicious Base64-encoded code

We can deobfuscate this code using CyberChef and further beautify it to see what
it does. Here are some of those checks:

 * browser properties such as window and screen size
 * time zone (difference between UTC and local time)
 * browser rendering capabilities related to video card driver
 * MIME type for MP4 file format 



Figure 4: Decoded fingerprinting script

Many tools used by researchers are scripted in Python and will fail the test.
Same goes for virtual machines, the WEBGL_debug_renderer_info API can help to
detect if you are using virtualization such as VMware or VirtualBox.

The data that is collected from visitors is then sent back to the attacker's
website via a POST request for further parsing and to determine what action to
take next.



Figure 5: POST request sending victim's details to attacker

Below is the web traffic view of a successful redirection to the malicious page
where the victim can download the malware payload.

Figure 6: Web traffic from malicious ad to payload page

And this is the malware landing page:

Figure 7: Malware landing page after successfully passing the fingerprinting
checks

We can now collect the payload and make sure that it is detected.


CONCLUSION

By using better filtering before redirecting potential victims to malware,
threat actors ensure that their malicious ads and infrastructure remain online
longer. Not only does it make it more difficult for defenders to identify and
report such events, it also likely has an impact on takedown actions. In the
majority of cases where we have reported malvertising incidents, the abused
platform needs to validate the information before taking action against the
advertiser.

This makes sense as reports could be erroneous and lead to advertising accounts
being suspended unjustly. However, it also means that while an incident is being
investigated and reproduced (which could take hours), people will click on those
ads and download malware.

As we continue to report malvertising campaigns, we improve our understanding of
the threat actors' TTPs and adjust our toolsets accordingly. Any intelligence
gathered is shared within our products and ultimately delivered to Malwarebytes
customers via web and malware protection updates to ensure they remain
protected.

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

News


ATTACKERS DEMAND RANSOMS FOR STOLEN LINKEDIN ACCOUNTS

August 18, 2023 - LinkedIn support channels are being swamped by users that have
been locked out of their accounts.

CONTINUE READING 0 Comments

Exploits and vulnerabilities | News


PATCH NOW! CITRIX SHAREFILE JOINS THE LIST OF ACTIVELY EXPLOITED FILE SHARING
SOFTWARE

August 18, 2023 - Citrix ShareFile can be exploited remotely by unauthenticated
attackers.

CONTINUE READING 0 Comments

Exploits and vulnerabilities | News


EXCHANGE SERVER SECURITY UPDATES UPDATED

August 18, 2023 - Microsoft Exchange Server administrators may have to install a
re-released security patch

CONTINUE READING 0 Comments

Threat Intelligence


CATCHING UP WITH WOOFLOCKER, THE MOST ELABORATE TRAFFIC REDIRECTION SCHEME TO
TECH SUPPORT SCAMS

August 17, 2023 - This tech support scam is one of the most long running and
covert ones we have ever seen.

CONTINUE READING 0 Comments

Exploits and vulnerabilities | News


CITRIX NETSCALERS BACKDOORED IN WIDESPREAD EXPLOITATION CAMPAIGN

August 17, 2023 - Researchers have found almost 2000 backdoored Citrix
NetScalers, many of which were patched after the backdoor in the form of a web
shell was dropped.

CONTINUE READING 0 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Jérôme Segura
Director of Threat Intelligence

A special interest for web threats.


Contributors


Threat Center


Podcast


Glossary


Scams

Cyberprotection for every one.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner


Free Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle
12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus


What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Vulnerability Disclosure
Terms of Service


© 2023 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

New Buy Online Partner Icon Warning Icon Edge icon

This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy

Cookies Settings Decline All Accept All Cookies



PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE AND FUNCTIONALITY

Performance and Functionality

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

SOCIAL MEDIA

Social Media

These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit.    If you do not allow these cookies you may not be
able to use or see these sharing tools.

Cookies Details‎

ANALYTICS

Analytics

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

ADVERTISING

Advertising

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

 * 
   
   View Cookies
   
    * Name
      cookie name

Decline All Confirm My Choices