Malvertising Attack Matrix

A project by

Confiant

[C600] Cloaking

Tactic Description: Cloaking is the practice of hiding web pages and reveal/render them under certain conditions. For Malvertisers, this "hidden" web page is the final landing page.

Analyzing a landing page is what defines if a malvertising campaign is indeed malicious. Cloaking this landing page can help Malvertisers hide from the scrutiny of ad platforms and stay under the radar as long as possible.

Therefore, Cloaking is a critical element defining the success of a Malvertising campaign.

Cloaking is controlled by a series of fingerprinting mechanisms executed to profile a target.

We have seen Malvertisers developing a sophisticated custom server-side cloaking while others using basic client-side cloaking and some using a variation of both. Below are all the techniques we have seen used by malvertisers to Cloak/Uncloak a landing page.

[C601] WebGL

Technique Description: WebGL APIs are heavily leveraged for device fingerprinting, because a device's graphics cards and their performance are highly variable and produce outputs that are in an entropy sweet spot. This usually materializes as Canvas Fingerprinting.

Procedure example: eGobbler moving to WebGL based fingerprinting, they essentially defeated user agent spoofing and gained unfettered Javascript execution on millions of end-users' devices since then.

References [Confiant] https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0

[C602] User-Agent Fingerprinting

Technique Description: User-Agent Fingerprinting is a client-side check by which adversaries determine Browser types and version they might potentially be attacking. Specific strings in the Browser User-Agent might give to the adversary an indication for identifying Browser and/or in some instances the Operating system, used by a potential victim.

Procedure example: Tag Barnakle pushing specific mobile targeted campaigns, by checking UserAgent strings against specific regular expression, containing mobile related string of the format ("android|iPad|iPhone|iPod"). The payload performs a client-side fingerprinting check and posts the fingerprint back to an attacker controlled server to request follow-up Javascript to execute.

References [Confiant] https://blog.confiant.com/tag-barnakle-one-year-later-120-more-revive-adserver-hacks-f3e5b3bc8e70

[C603] GeoIP check

Technique Description: GeoIP is commonly used as a server-side check consisting of determining the geographical location of a potential target based of the IP address. Malvertisers use this same technique in order to target specific countries, either directly or via third party ad servers providing geo targeting capability for ad compaigns.

Procedure example: tbd

References [Google] https://support.google.com/google-ads/answer/1722043?hl=en

[C604] IP Targeting

Technique Description: IP targeting is a more fine grained check than GeoIP check, consisting of a series of checks, helping determining the type of connection a target is using: Home, Datacenter, Enterprise, WIFI or Cellular connection. Malvertisers will selectively avoid droping their payloads on users hidden behind proxies or VPN or using Datacenter IPs as these are often categorized as scanners, bots, security researchers or users spoofing their real geolocation.

Procedure example: For supported browsers, checking both the JavaScript navigator.connection property and the GeoIP2 Connection Type database can help identify if the user is connecting via a mobile hotspot. If navigator.connection returns "wifi", and GeoIP2 Connection Type returns "Cellular", then mobile Wi-Fi is likely being used.

References [maxmind] https://support.maxmind.com/geoip-faq/specifications-and-implementation/what-are-cellular-and-wi-fi-connections-and-how-do-i-identify-them/

[C605] Passsive TCP/IP Fingerprinting

Technique Description: Passsive TCP/IP Fingerprinting is a server side technique used by Malvertisers consisting of passively sniffing the network and classifying targets hosts based on the observed traffic. Different operating systems, and different versions of the same operating system, set different values to TCP and IP headers. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP.

Procedure example: Zirconium using passive fingerprinting technique to target victims running Desktop versions of the Windows Operating system.

References [trustwave] Neutrino Exploit kit not responding: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/neutrino-exploit-kit-not-responding-bug-or-feature

[C606] OS Fingerprinting

Technique Description: OS Fingerprinting is a check used to accurately determine the Operating system and its version of a target user. Malvertisers are adding these checks on both server side and client side, actively and passively throughout the kill chain.

Procedure example: eGobbler targeting users with a Chrome exploit for iOS users.

References [Confiant] https://blog.confiant.com/massive-egobbler-malvertising-campaign-leverages-chrome-vulnerability-to-target-ios-users-a534b95a037f

[C607] HTTP Fingerprinting

Technique Description: HTTP Fingerprinting is a server side technique which consist of checking the HTTP protocol headers, in order to determine the version of the Browser a targeted victim could be using.

Procedure example: tbd

References tbd

[C608] TLS Fingerprinting

Technique Description: TLS Fingerprinting a technique used by Malvertisers at the server-side of the TLS-connection. The technique consists of passively checking specifically for the TLS client hello packet of the victim browser during a TLS handshake and or by abusing of the JA3 hashing functionality to accurately determine the Browser type and version and sometimes the Operating systems associated with it.

Procedure example: tbd

References [Salesforce] https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967

[C609] Fake AD creatives

Technique Description: Fake AD creatives are copy/pasted legitimate AD creatives that are used by malvertisers as a pretext for them to appear legitimate in the eyes of ad platforms. Fake AD creatives are often used in combination with Fake landing pages during the process of cloaking, adding more legitimacy to malicous malvertising campaigns.

Procedure example: FizzCore threat actor implements techniques to successfully evade ad quality reviews and persist, by creating fake ad creatives and fake landing pages hiding real payload.

References [Confiant] https://blog.confiant.com/fake-celebrity-endorsed-scam-abuses-ad-tech-to-net-1m-in-one-day-ffe330258e3c

[C610] Fake Landing Pages

Technique Description: Fake Landing Pages are display ad destinations that exist only to make the decoy ad seem convincing. Fake Landing Pages can take on many forms from fake e-commerce websites to fake content sites. They usually do not host malicious content, but rarely do they include anything of substance.

Procedure example: Over 1300 cloaked landing pages domains used either in outright scams or otherwise misleading schemes where detected.

References [Confiant] https://blog.confiant.com/the-trend-of-client-side-fingerprinting-in-cloaked-landing-pages-21915eb473df

[C611] Hardware Concurrency

Technique Description: Hardware Concurrency is a client-side check using the browser API that allows attackers to fingerprint how many CPU cores a target device has.

Procedure example: Zirconium actors runs Hardware concurrency checks before targeting victims.

References [Confiant] https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85

[C612] Browser Objects

Technique Description: Browser Objects are any objects that are native to a browser's implementation of JavaScript and/or the many APIs available to browsers. Client-side fingerprinting techniques often involve some sort of cataloging of these objects in order to determine if the browser is a viable target, or what model/make the device might be.

Procedure example: tbd

References [adtechmadness] https://adtechmadness.wordpress.com/2019/03/05/bot-detection-101-2-entering-browser-fingerprinting/

[C613] Time-based

Technique Description: Time-based cloaking consist of hiding malicious activity and only activate it during specific time slots. this allow malvertisers to stay persistent into ad platforms, pass routine scrunity checks and only active their payload during specific time slots or specific days.

Procedure example: eGobbler is a group based out of China that delivers a variety of attacks (drive-by downloads, carrier branded scams) using forced redirects. eGobbler has specialized in weekend activity, typically staging attacks weeks in advance and activating them at full scale on a Saturday or Sunday morning, preferably on holidays.

References [Confiant] https://www.confiant.com/resources/blog/malvertising-activity-in-november

[C614] Abuse third party bot & proxy detection

Technique Description: Ads verification vendors are using bots also known as "scanners" to monitor the quality of the ads served on a specific URL or by specific ad tag and alerting when violation is found. Malvertisers are using third party bot detection services to their advantage to hide from "good" bots, and stay under the radar.

Procedure example: a third party bot detection platform used by malvertisers to filter bots, and only leading targeted victims to a fake flash download page in order to infect them with malware.

References [adtechmadness] https://adtechmadness.wordpress.com/2019/03/09/how-bot-detection-technology-is-abused-by-malvertisers/

[C615] Plugin Detection

Technique Description: The Browser Identification through Plugin Detection technique is employed by attackers to determine the type of browser a user is running based on the identified plugins. By leveraging the plugin's API, malicious websites can extract version information of installed plugins on the victim's system. Since different browsers support distinct sets of plugins and versions, this technique allows attackers to infer the specific browser type being used by the victim. By analyzing the plugin details, attackers can tailor their attacks to exploit known vulnerabilities specific to the identified browser, increasing the effectiveness of their malicious activities. This method of browser identification raises significant privacy and security concerns as it can be utilized to target users with tailored attacks, compromising their online safety and potentially exposing sensitive information.

Procedure example: ScamClub uses plugin detection to fingerprint the victim. When ScamClub identifies a victim using Internet Explorer, it runs code to create an Adobe Flash Player ActiveX object in a loop while incrementing version numbers:
window.ActiveXObject("ShockwaveFlash.ShockwaveFlash." + (c + 1)) this will help to determine if the plugin was installed and help determine its version as well.

References [Confiant] ScamClub: Threat report Q1-Q2 2023