Tactic Description: Cloaking is the practice of hiding web pages and reveal/render them under certain conditions. For Malvertisers, this "hidden" web page is the final landing page.
Analyzing a landing page is what defines if a malvertising campaign is indeed malicious. Cloaking this landing page can help Malvertisers hide from the scrutiny of ad platforms and stay under the radar as long as possible.
Therefore, Cloaking is a critical element defining the success of a Malvertising campaign.
Cloaking is controlled by a series of fingerprinting mechanisms executed to profile a target.
We have seen Malvertisers developing a sophisticated custom server-side cloaking while others using basic client-side cloaking and some using a variation of both. Below are all the techniques we have seen used by malvertisers to Cloak/Uncloak a landing page.
Technique Description: WebGL APIs are heavily leveraged for device fingerprinting, because a device's graphics cards and their performance are highly variable and produce outputs that are in an entropy sweet spot. This usually materializes as Canvas Fingerprinting.
References [Confiant] https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0
[C602] User-Agent Fingerprinting
Technique Description: User-Agent Fingerprinting is a client-side check by which adversaries determine Browser types and version they might potentially be attacking. Specific strings in the Browser User-Agent might give to the adversary an indication for identifying Browser and/or in some instances the Operating system, used by a potential victim.
[C603] GeoIP check
Technique Description: GeoIP is commonly used as a server-side check consisting of determining the geographical location of a potential target based of the IP address. Malvertisers use this same technique in order to target specific countries, either directly or via third party ad servers providing geo targeting capability for ad compaigns.
Procedure example: tbd
References [Google] https://support.google.com/google-ads/answer/1722043?hl=en
[C604] IP Targeting
Technique Description: IP targeting is a more fine grained check than GeoIP check, consisting of a series of checks, helping determining the type of connection a target is using: Home, Datacenter, Enterprise, WIFI or Cellular connection. Malvertisers will selectively avoid droping their payloads on users hidden behind proxies or VPN or using Datacenter IPs as these are often categorized as scanners, bots, security researchers or users spoofing their real geolocation.
[C605] Passsive TCP/IP Fingerprinting
Technique Description: Passsive TCP/IP Fingerprinting is a server side technique used by Malvertisers consisting of passively sniffing the network and classifying targets hosts based on the observed traffic. Different operating systems, and different versions of the same operating system, set different values to TCP and IP headers. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP.
Procedure example: Zirconium using passive fingerprinting technique to target victims running Desktop versions of the Windows Operating system.
References [trustwave] Neutrino Exploit kit not responding: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/neutrino-exploit-kit-not-responding-bug-or-feature
[C606] OS Fingerprinting
Technique Description: OS Fingerprinting is a check used to accurately determine the Operating system and its version of a target user. Malvertisers are adding these checks on both server side and client side, actively and passively throughout the kill chain.
Procedure example: eGobbler targeting users with a Chrome exploit for iOS users.
[C607] HTTP Fingerprinting
Technique Description: HTTP Fingerprinting is a server side technique which consist of checking the HTTP protocol headers, in order to determine the version of the Browser a targeted victim could be using.
Procedure example: tbd
[C608] TLS Fingerprinting
Technique Description: TLS Fingerprinting a technique used by Malvertisers at the server-side of the TLS-connection. The technique consists of passively checking specifically for the TLS client hello packet of the victim browser during a TLS handshake and or by abusing of the JA3 hashing functionality to accurately determine the Browser type and version and sometimes the Operating systems associated with it.
Procedure example: tbd
References [Salesforce] https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
[C609] Fake AD creatives
Technique Description: Fake AD creatives are copy/pasted legitimate AD creatives that are used by malvertisers as a pretext for them to appear legitimate in the eyes of ad platforms. Fake AD creatives are often used in combination with Fake landing pages during the process of cloaking, adding more legitimacy to malicous malvertising campaigns.
Procedure example: FizzCore threat actor implements techniques to successfully evade ad quality reviews and persist, by creating fake ad creatives and fake landing pages hiding real payload.
[C610] Fake Landing Pages
Technique Description: Fake Landing Pages are display ad destinations that exist only to make the decoy ad seem convincing. Fake Landing Pages can take on many forms from fake e-commerce websites to fake content sites. They usually do not host malicious content, but rarely do they include anything of substance.
Procedure example: Over 1300 cloaked landing pages domains used either in outright scams or otherwise misleading schemes where detected.
[C611] Hardware Concurrency
Technique Description: Hardware Concurrency is a client-side check using the browser API that allows attackers to fingerprint how many CPU cores a target device has.
Procedure example: Zirconium actors runs Hardware concurrency checks before targeting victims.
References [Confiant] https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85
[C612] Browser Objects
Procedure example: tbd
References [adtechmadness] https://adtechmadness.wordpress.com/2019/03/05/bot-detection-101-2-entering-browser-fingerprinting/
Technique Description: Time-based cloaking consist of hiding malicious activity and only activate it during specific time slots. this allow malvertisers to stay persistent into ad platforms, pass routine scrunity checks and only active their payload during specific time slots or specific days.
Procedure example: eGobbler is a group based out of China that delivers a variety of attacks (drive-by downloads, carrier branded scams) using forced redirects. eGobbler has specialized in weekend activity, typically staging attacks weeks in advance and activating them at full scale on a Saturday or Sunday morning, preferably on holidays.
References [Confiant] https://www.confiant.com/resources/blog/malvertising-activity-in-november
[C614] Abuse third party bot & proxy detection
Technique Description: Ads verification vendors are using bots also known as "scanners" to monitor the quality of the ads served on a specific URL or by specific ad tag and alerting when violation is found. Malvertisers are using third party bot detection services to their advantage to hide from "good" bots, and stay under the radar.
Procedure example: a third party bot detection platform used by malvertisers to filter bots, and only leading targeted victims to a fake flash download page in order to infect them with malware.
References [adtechmadness] https://adtechmadness.wordpress.com/2019/03/09/how-bot-detection-technology-is-abused-by-malvertisers/