Malvertising Attack Matrix

A project by

Confiant

[C700] Defense Evasion

Tactic Description: Defense Evasion is a series of techniques that Malvertisers use to stay under the radar and avoid detection by ad platforms or security scanners. This tactic allows malvertisers to maintain their malicious ad campaigns for the longest time possible before getting burned.

[C701] Code obfuscation

Technique Description: Code Obfuscation applies to a broad category of techniques and tactics that are employed by attackers in order to make their code hard to read by human analysts. This can include any combination of basic or advanced encoding techniques.

Procedure example: Malvertisers will employ a combination of out of the box obfuscation solution with javascript-obfuscator being the most popular: https://github.com/javascript-obfuscator/javascript-obfuscator. Groups that are more sophisticated like Zirconium will typically use bespoke multi-layered obfuscation that allows them to blend in more and look like "native" Ad Tech.

References [Confiant] Zirconium was one step ahead of Chrome's redirect blocker with 0-day: https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d

[C702] CDN usage

Technique Description: CDN usage is the practice of using reputable domains in order to conceal a threat, usually by operating under a subdomain of a legitimate website or a reputable CDN provider. Unfortunately, this is endemic of malvertising based attacks as common ad servers already have established, trusted domains. Malvertisers will also abuse common, free hosting services that are trusted as well, either for their landing pages or intermediate stages of their payloads.

Procedure example: A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a malicious CDN hosted dependency.

References [Confiant] https://blog.confiant.com/malvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-1c998378bfba

[C703] Anti-Devtools

Technique Description: Anti-Devtools techniques are employed by attackers in order to disrupt the debugging process of the malicious code when browser dev tools are detected. These defensive techniques are used in order to make reverse engineering of malware difficult.

Procedure example: Javascript-obfuscator, which is a common out of the box obfuscation toolset has this functionality built-in and is used by many malvertisers at one point in the execution of their payload.

References [Github] https://github.com/javascript-obfuscator/javascript-obfuscator

[C704] String concatenation

Technique Description: String Concatenation is an obfuscation technique where strings are split into small chunks and added together so that the original strings will be difficult to search for during static analysis. For example: "Conf" + "iant". There are many ways to encode strings for obfuscation purposes, with this one being the most basic. However, it's often combined with other techniques that make detection even trickier.

Procedure example: Javascript-obfuscator, which is a common out of the box obfuscation toolset has this functionality built-in and is used by many malvertisers at one point in the execution of their payload.

References [Github] https://github.com/javascript-obfuscator/javascript-obfuscator

[C705] Dom Traversal

Technique Description: The Document Object Model (DOM) is a standard convention for accessing and manipulating elements within HTML and XML documents. Elements in the DOM are organized into a tree-like data structure. Dom traversal is the process of traversing each element and/or content within an XML/HTML document. Malvertisers perfoms a Dom traversal to check if the page is rendered as expected and that there's no unexpected behavior or new elements. This often helps Malvertisers to detect if ads are loaded in a unusual enviroment like a testing enviroment or if there's any security scanner script injected in the dom. it is basically an advanced integrity check.

Procedure example: tbd

References tbd

[C706] Standard Library Hijacking

Technique Description: Library Hijacking can take on many forms as either an attacker vector or a concealment technique. When it comes to hiding/obfuscation, attackers will take a common, standardized library and embed their payload inside this innocuous looking dependency.
Library hijacking can also manifest as a type of "supply chain attack" where an endpoint that hosts a commonly used library is compromised and the library is backdoored with malicious code.

Procedure example: Standard library JQuery hijacked by Malvertisers to embed and load malicous scripts.

References tbd

[C707] Reputable Ad servers

Technique Description: Reputable Ad Servers encompass any ad serving platforms whose ad serving domains are "house hold names" in the Ad Tech industry. Malvertisers that conduct media buys in order to run their campaigns will try to look as much as possible as legitimate advertising entities in order to evade suspicion.

Procedure example: The Tag Barnakle malvertising group is hacking into Revive ad servers to inject and deliver malicious advertisements on unwary visitors.

References [Confiant] https://www.confiant.com/resources/news/revive-ad-servers-being-hacked-to-distribute-malicious-ads

[C708] Steganography

Technique Description: Steganography is the practice of concealing data inside files - typically images or binaries. The changes to the original file are usually indistinguishable to human observation. Images with stegano raphic content will still be viewable without any obvious artifacts, and executables will still run without issue. Steganography is a favorite technique among multiple malvertisers for payload smuggling. Usually an innocuous looking image is referenced for Javascript smuggling. The code is then parsed out and executed client-side by the browser.

Procedure example: Confiant & Malwarebytes Uncover Steganography Based Ad Payload That Drops Shlayer Trojan On Mac Users

References [Confiant] https://blog.confiant.com/confiant-malwarebytes-uncover-steganography-based-ad-payload-that-drops-shlayer-trojan-on-mac-cd31e885c202

[C709] Copycat Sites

Technique Description: Copycat Sites are used by malvertisers to establish their fake brands so that when their campaigns go through traditional Ad Tech quality controls, they look like real advertisers. Most of the time these are e-commerce templates from established companies that are gently modified in order to match the fake brand identity created by the malvertiser.

Procedure example: Fizzcore using fake banners and a landing page copycats.

References [Confiant] https://blog.confiant.com/fake-celebrity-endorsed-scam-abuses-ad-tech-to-net-1m-in-one-day-ffe330258e3c

[C710] Fake HTML5 Creative

Technique Description: HTML5 Creatives are usually dynamic ads that consist of largely pure HTML and Javascript. These are favored by some malvertisers due to how code heavy these ads are, often including sizable dependencies that provide an ample surface for payload smuggling and concealment.

Procedure example: eGobbler leverage ad platforms' hosting to embed malicious code in HTML5 ad code. This is typically achieved by injecting the code in CreateJS or Greensock dependencies — libraries commonly found in HTML5 ads.

References [Confiant] https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0

[C711] Domain typosquatting

Technique Description: Typo domains are a common tool in the cybercrime pipeline, where at least one character different than a trusted domain. In the context of malvertising, they can be used to mimic legitimate ad servers, legitimate brands, or legitimate publishers. copycat websites often rely on typo domains to eliminate suspicions and look as close as the orginal website.

Procedure example: tbd

References tbd

[C712] Homoglyph

Technique Description: Homoglyphs are characters that appear the same to the naked eye, but have a different underlying code. These are sometimes leveraged by attackers that rely on text ads in order to evade static matching. Malicious text ads often have sensational messaging and call to action that are added to quality control block lists. Homoglyphs can help to circumvent these security measures.

Procedure example: tbd

References [Wikipedia] https://en.wikipedia.org/wiki/Homoglyph

[C713] Zero width space chars

Technique Description: Similar to Homoglyphs, there exist "invisible" characaters which are symbols that have zero width. These are used to evade static matching by padding strings with zero-width characters in between the characters of actual words.
In other words a string like "Bitcoin" looks like an ordinary word to the naked eye, but to a computer it might look like "B i t co i n". This is able to circumvent blocklists that are not robust.

Procedure example: tbd

References [Wikipedia] https://en.wikipedia.org/wiki/Zero-width_space

[C714] OCR Disruption

Technique Description: OCR (optical character recognition) disruption is a technique for thwarting in-image text analysis. Malvertisers that use image ads for display campaigns might chose to include text based calls to action in the imagery, but security and quality control vendors are able to read in-image text using a variety of OCR techniques. OCR disruption usually encompasses polluting the text in the image with a variety of artifacts in order to thwart these analysis techniques.

Procedure example: tbd

References tbd

[C715] Security Vendor Detection

Technique Description: Malvertising security vendors typically have a client-side component for blocking malvertisements. Many attackers will perform a DOM traversal looking for artifacts or identifiers that are specific to particular security vendors, so that they can avoid revealing their payload in these scenarios.

Procedure example: tbd

References tbd

[C716] Mutex

Technique Description: Technique used to avoid executing the payload more than one time. this technique have been seen used by Malvertisers who relies either on cookies or local storage to make the decision whether or not the payload should be executed.

Procedure example: Tag barnakle payloads checks if the user has been previously cookied by the script, before continuing script execution.

References [Confiant] https://blog.confiant.com/tag-barnakle-the-malvertiser-that-hacks-revive-ad-servers-redirects-victims-to-malware-50cdc57435b1