[C200] Execution
Tactic Description: Execution is a tactic used by Malvertisers to execute malicious code. Since the majority of Malvertising attacks are web based, malicious code executed will be in the form of javascript. this code is usually embedded within fake ad creatives and it is executed using different techniques.
[C201] JScript tag Injection
Technique Description: Specific to Internet Explorer legacy jscript.dll Javascript can be injected via script tag with language="Jscript.Encode" attribute set. JScript.Encode is a method created by Microsoft used to encode both server and Client-side JavaScript or VB Script source code in order to protect the source code from copying.[1](insert wikipedia link). Most of the time, this script tag is precedented with a meta tag forcing the victim Browser to turn to IE8 compatibility mode:
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
Procedure example: DarkHotel APT exploiting CVE-2019-1367
References [Confiant] DarkHotel APT exploiting CVE-2019-1367: https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30
[C202] WebAssembly injection
Technique Description: Malvertisers relies on WASM by introducing it into the execution of a page, ad creative, or other resource when it has no place in the legitimate execution of the application or ad.
Procedure example: Malvertisers quickly came up with multiple schemes to get miners into Browsers, resulting in a large number of in-the-wild WebAssembly-based miners available. These WASM miners appears to be minor variants of codebases available on GitHub. These ‘copycats’ are mostly tweaked in order to avoid detection, usually by altering function names or by completely removing references to the original C source.
References [Forcepoint] Browser mining coinhive and webassembly: https://www.forcepoint.com/blog/x-labs/browser-mining-coinhive-and-webassembly
[C203] HTML DOM modification
Technique Description: DOM modification is the act of manipulating the DOM in an ad or on a website as part of the malware execution, usually to add JavaScript code into the event loop and then remove evidence of it having been added from the DOM.
Procedure example: appendChild() is one the most common DOM modification techniques that is used to push JavaScript code to event loop as part of malvertising payloads. Usually these scripts are dynamically generated or generated on the fly in an attempt to hide from static analysis of JavaScript code. Same can be achieved using other methods, including cloneNode(), replaceChild, or insertBefore().
References [adtechmadness] how real malvertising solution works. Examples with appendChild(): https://adtechmadness.wordpress.com/2019/03/26/how-real-time-malvertising-solutions-works
[gomakethings] A better way to load scripts with javascript: https://gomakethings.com/a-better-way-to-load-scripts-with-javascript-or-why-document-write-sucks
[C204] Forceful redirects
Technique Description: Forceful redirects are the technique by which malvertisers redirect victims to a malicious landing page through no action of their own. Usually this is done by modifying the Location Object in the HTML DOM, and explicity pointing the href property to an attacker controlled URL.
Procedure example: VeryMal campaign leveraged click trackers in their redirect chain in order to drop a malicious fake Flash update.
References [Confiant] Confiant & Malwarebytes Uncover Steganography Based Ad Payload That Drops Shlayer Trojan On Mac Users: https://blog.confiant.com/confiant-malwarebytes-uncover-steganography-based-ad-payload-that-drops-shlayer-trojan-on-mac-cd31e885c202
[Confiant] eGobbler forcefull redirects: https://blog.confiant.com/hiding-in-plain-sight-how-one-malvertiser-abuses-typos-of-google-and-amazon-ad-serving-domains-6bfa6b42399d
[C205] PDF redirect
Technique Description: PDF redirect is a redirect technique that utilizes a malicious PDF document which will redirect the victim to the attacker's URL when the document is opened in the browser. Typically the PDF would be loaded automatically in order to bypass built-in browser redirect protection.
Procedure example: Zirconium threat actor abusing PDFium navigation actions of Chrome’s tabs API. circumventing Chrome's anti-redirect protection.
References [Confiant] Zirconium was one step ahead of Chrome's redirect blocker with 0-day: https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d
[C206] Click Jacking
Technique Description: Click jacking is a technique used by malvertisers in order to hijack the click action of a user to get them to click on an invisible element that is controlled by the attacker. Threat actors overlays multiple transparent oropaque frames to trick a user into clicking on abutton or link on another page. Clicks meant for the visible page are hijacked and routed to another, invisible page.
Procedure example: clickjacking campaign abuses google adsense avoids adfraud bots
References [Malwarebytes] clickjacking campaign abuses google adsense avoids adfraud bots: https://blog.malwarebytes.com/cybercrime/2017/01/clickjacking-campaign-abuses-google-adsense-avoids-ad-fraud-bots
[Confiant] how bad ads hijack your browser with one simple trick: https://blog.confiant.com/how-bad-ads-hijack-your-browser-with-one-simple-trick-712ad3590a13
[lookingglasscyber] when good sites go bad malvertising and watering holes infographic: https://www.lookingglasscyber.com/blog/threat-intelligence-insights/when-good-sites-go-bad-malvertising-and-watering-holes-infographic
[C207] Web Socket
Technique Description: The WebSocket protocol, described in the specification RFC 6455 provides a way to exchange data between browser and server via a persistent connection. The data can be passed in both directions as “packets”, without breaking the connection and additional HTTP-requests.
WebSocket is especially great for services that require continuous data exchange, e.g. online games, real-time trading systems and so on. Malvertisers make use of web socket to send or execute received data from a server controlled by them.
Procedure example: DCCBoost using web sockets to send client-side fingerprinting values to the server side and executes the payload received.
References [Confiant] https://blog.confiant.com/persistent-malvertising-attacker-dccboost-raged-as-the-year-faded-4d09340cd3f5