Malvertising Attack Matrix

[C701] Code obfuscation

Technique Description: Code Obfuscation applies to a broad category of techniques and tactics that are employed by attackers in order to make their code hard to read by human analysts. This can include any combination of basic or advanced encoding techniques.

Procedure example: Malvertisers will employ a combination of out of the box obfuscation solution with javascript-obfuscator being the most popular: https://github.com/javascript-obfuscator/javascript-obfuscator. Groups that are more sophisticated like Zirconium will typically use bespoke multi-layered obfuscation that allows them to blend in more and look like "native" Ad Tech.

References [Confiant] Zirconium was one step ahead of Chrome's redirect blocker with 0-day: https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d

[C702] CDN usage

Technique Description: CDN usage is the practice of using reputable domains in order to conceal a threat, usually by operating under a subdomain of a legitimate website or a reputable CDN provider. Unfortunately, this is endemic of malvertising based attacks as common ad servers already have established, trusted domains. Malvertisers will also abuse common, free hosting services that are trusted as well, either for their landing pages or intermediate stages of their payloads.

Procedure example: A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a malicious CDN hosted dependency.

References [Confiant] https://blog.confiant.com/malvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-1c998378bfba

[C703] Anti-Devtools

Technique Description: Anti-Devtools techniques are employed by attackers in order to disrupt the debugging process of the malicious code when browser dev tools are detected. These defensive techniques are used in order to make reverse engineering of malware difficult.

Procedure example: Javascript-obfuscator, which is a common out of the box obfuscation toolset has this functionality built-in and is used by many malvertisers at one point in the execution of their payload.

References [Github] https://github.com/javascript-obfuscator/javascript-obfuscator

[C704] String concatenation

Technique Description: String Concatenation is an obfuscation technique where strings are split into small chunks and added together so that the original strings will be difficult to search for during static analysis. For example: "Conf" + "iant". There are many ways to encode strings for obfuscation purposes, with this one being the most basic. However, it's often combined with other techniques that make detection even trickier.

Procedure example: Javascript-obfuscator, which is a common out of the box obfuscation toolset has this functionality built-in and is used by many malvertisers at one point in the execution of their payload.

References [Github] https://github.com/javascript-obfuscator/javascript-obfuscator

[C705] Dom Traversal

Technique Description: The Document Object Model (DOM) is a standard convention for accessing and manipulating elements within HTML and XML documents. Elements in the DOM are organized into a tree-like data structure. Dom traversal is the process of traversing each element and/or content within an XML/HTML document. Malvertisers perfoms a Dom traversal to check if the page is rendered as expected and that there's no unexpected behavior or new elements. This often helps Malvertisers to detect if ads are loaded in a unusual enviroment like a testing enviroment or if there's any security scanner script injected in the dom. it is basically an advanced integrity check.

Procedure example: tbd

References tbd

[C706] Standard Library Hijacking

Technique Description: Library Hijacking can take on many forms as either an attacker vector or a concealment technique. When it comes to hiding/obfuscation, attackers will take a common, standardized library and embed their payload inside this innocuous looking dependency.
Library hijacking can also manifest as a type of "supply chain attack" where an endpoint that hosts a commonly used library is compromised and the library is backdoored with malicious code.

Procedure example: Standard library JQuery hijacked by Malvertisers to embed and load malicous scripts.

References tbd

[C707] Reputable Ad servers

Technique Description: Reputable Ad Servers encompass any ad serving platforms whose ad serving domains are "house hold names" in the Ad Tech industry. Malvertisers that conduct media buys in order to run their campaigns will try to look as much as possible as legitimate advertising entities in order to evade suspicion.

Procedure example: The Tag Barnakle malvertising group is hacking into Revive ad servers to inject and deliver malicious advertisements on unwary visitors.

References [Confiant] https://www.confiant.com/resources/news/revive-ad-servers-being-hacked-to-distribute-malicious-ads

[C708] Steganography

Technique Description: Steganography is the practice of concealing data inside files - typically images or binaries. The changes to the original file are usually indistinguishable to human observation. Images with stegano raphic content will still be viewable without any obvious artifacts, and executables will still run without issue. Steganography is a favorite technique among multiple malvertisers for payload smuggling. Usually an innocuous looking image is referenced for Javascript smuggling. The code is then parsed out and executed client-side by the browser.

Procedure example: Confiant & Malwarebytes Uncover Steganography Based Ad Payload That Drops Shlayer Trojan On Mac Users

References [Confiant] https://blog.confiant.com/confiant-malwarebytes-uncover-steganography-based-ad-payload-that-drops-shlayer-trojan-on-mac-cd31e885c202

[C709] Copycat Sites

Technique Description: Copycat Sites are used by malvertisers to establish their fake brands so that when their campaigns go through traditional Ad Tech quality controls, they look like real advertisers. Most of the time these are e-commerce templates from established companies that are gently modified in order to match the fake brand identity created by the malvertiser.

Procedure example: Fizzcore using fake banners and a landing page copycats.

References [Confiant] https://blog.confiant.com/fake-celebrity-endorsed-scam-abuses-ad-tech-to-net-1m-in-one-day-ffe330258e3c

[C710] Fake HTML5 Creative

Technique Description: HTML5 Creatives are usually dynamic ads that consist of largely pure HTML and Javascript. These are favored by some malvertisers due to how code heavy these ads are, often including sizable dependencies that provide an ample surface for payload smuggling and concealment.

Procedure example: eGobbler leverage ad platforms' hosting to embed malicious code in HTML5 ad code. This is typically achieved by injecting the code in CreateJS or Greensock dependencies — libraries commonly found in HTML5 ads.

References [Confiant] https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0

[C711] Domain typosquatting

Technique Description: Typo domains are a common tool in the cybercrime pipeline, where at least one character different than a trusted domain. In the context of malvertising, they can be used to mimic legitimate ad servers, legitimate brands, or legitimate publishers. copycat websites often rely on typo domains to eliminate suspicions and look as close as the orginal website.

Procedure example: tbd

References tbd

[C712] Homoglyph

Technique Description: Homoglyphs are characters that appear the same to the naked eye, but have a different underlying code. These are sometimes leveraged by attackers that rely on text ads in order to evade static matching. Malicious text ads often have sensational messaging and call to action that are added to quality control block lists. Homoglyphs can help to circumvent these security measures.

Procedure example: tbd

References [Wikipedia] https://en.wikipedia.org/wiki/Homoglyph

[C713] Zero width space chars

Technique Description: Similar to Homoglyphs, there exist "invisible" characaters which are symbols that have zero width. These are used to evade static matching by padding strings with zero-width characters in between the characters of actual words.
In other words a string like "Bitcoin" looks like an ordinary word to the naked eye, but to a computer it might look like "B i t co i n". This is able to circumvent blocklists that are not robust.

Procedure example: tbd

References [Wikipedia] https://en.wikipedia.org/wiki/Zero-width_space

[C714] OCR Disruption

Technique Description: OCR (optical character recognition) disruption is a technique for thwarting in-image text analysis. Malvertisers that use image ads for display campaigns might chose to include text based calls to action in the imagery, but security and quality control vendors are able to read in-image text using a variety of OCR techniques. OCR disruption usually encompasses polluting the text in the image with a variety of artifacts in order to thwart these analysis techniques.

Procedure example: tbd

References tbd

[C715] Security Vendor Detection

Technique Description: Malvertising security vendors typically have a client-side component for blocking malvertisements. Many attackers will perform a DOM traversal looking for artifacts or identifiers that are specific to particular security vendors, so that they can avoid revealing their payload in these scenarios.

Procedure example: tbd

References tbd

[C716] Mutex

Technique Description: Technique used to avoid executing the payload more than one time. this technique have been seen used by Malvertisers who relies either on cookies or local storage to make the decision whether or not the payload should be executed.

Procedure example: Tag barnakle payloads checks if the user has been previously cookied by the script, before continuing script execution.

References [Confiant] https://blog.confiant.com/tag-barnakle-the-malvertiser-that-hacks-revive-ad-servers-redirects-victims-to-malware-50cdc57435b1

[C717] Automated Framework Detection

Technique Description: The Automated Framework Detection Avoidance technique is employed by attackers to identify and differentiate victims using automated testing frameworks, such as Selenium, while attempting to avoid detection and analysis. Attackers achieve this by utilizing JavaScript-based fingerprinting code within malicious websites or applications. The fingerprinting code includes checks for specific objects and properties that are typically present when popular automation frameworks are in use. By performing these checks, attackers can determine whether a user's browser environment appears to be running an automated framework.

Attackers leverage this technique to evade detection and analysis by security researchers and automated systems that rely on these frameworks for analyzing and monitoring potentially malicious websites. Upon identifying automated frameworks, attackers can alter their malicious activities, serve benign content, or introduce delays to obfuscate their true intent, thus making automated analysis less effective. This tactic aims to increase the difficulty of analyzing and understanding the behavior of the malicious code, enhancing the attacker's ability to remain undetected and achieve their objectives.

Procedure example: ScamClub implements JavaScript code performing a series of checks to identify automated frameworks commonly used in automated testing. The code examines specific objects and properties that are characteristic of popular automation frameworks like Selenium. If the JavaScript code detects the presence of objects or properties associated with automation frameworks, such as "webdriver" or "callPhantom," it concludes that the victim is likely using an automated testing framework like Selenium.

References [Confiant] ScamClub: Threat report Q1-Q2 2023

[C718] Anti-replay

Technique Description: The anti-replay technique aims to ensure that the malvertising payload is executed only once on a targeted device. By implementing this mechanism, malvertisers can prevent their malicious content from repeatedly infecting the same device, thereby reducing the chances of detection and removal. Once the payload has been executed on the device, it employs various methods to prevent subsequent execution attempts, making it harder for security systems and tools to identify and block the malicious activity.

Procedure example: ScamClub leverages a sophisticated procedure that involves the use of multiple URL parameters. These parameters are generated server-side and later verified client-side, enabling the malicious payload to be executed only once per device.

References [Confiant] ScamClub: Threat report Q1-Q2 2023