Weaponized Ads: A Stealer in Plain Sight

[Applause] hey uh good evening everyone uh I don't know if anyone has a step so I can look a little bit taller here um but yeah so today um I'm very excited to be here to share uh some of the recent research I've did on malvertising campaign uh so to give you some uh background on me so I'm a senior security researcher uh part of the Global Research and Analysis team at kasperski uh and basically the focus of our team um is to do research on APS and criware threats and uh this presentation is a result of one of those uh researches so I'd like to to start uh by with a quick question uh so um a show of

hands if you have ever willingly or unwillingly clicked an ad you will see you you saw in a uh a website or uh on the uh on Google search engine something like that I certainly have unwillingly um and the potential for bad things to happen is quite interesting uh so let's get into it so what would we uh talk about today so I'll start with a quick overview of what is malvertising and uh how it works so we're all on the same page of uh what our understanding of it is uh then we'll move on to how we discovered this campaign so this will give you more uh temporal context of things um as well as a technal technical

analysis of it uh and then uh we'll uh we'll talk a little bit about the threat actor and their infrastructure so we'll focus more on the infrastructure side and specifically how they ended up exposing some interesting information um about their victims uh we'll then uh discuss some of the campaign details so this will basically build on the previous two sections knowing how the infection chain works and how their infrastructure is set up we can uh assume some of their uh campaign um numbers um and then we'll finally just close with some considerations about malvertising and I'll leave some open questions uh for you to consider and then any questions you might have about the presentation so

what is malvertising so malvertising is a pment to for malicious advertising and so I yes I learned about this word recently so I wanted to share it with you um so in a broad sense basically the use of online advertising to spread malware uh the first references I found about malvertising date back to 2007 so those were basically the good days of Shockwave Flash where basically every website was a potential RC Vector uh and what makes um malvertising interesting from an attacker's perspective is that the distribution is handled by a legitimate third party so basically means this means that when you want to distribute some malware you basically just buy some ad space on some uh engine

or whatever uh and then you push it out to very customizable targets so this Ford attex is very good because it offloads all of the distribution to to someone else um it's and also very annoying for the researchers uh for the attackers it's basically free real estate because they can get visibility in very high profile websites and it's very easy very easy for them to hide because uh as soon as they just turn off the ads from showing every the distribution is gone and you're left in the dust um so this makes it hard for the researchers uh first you need to know uh what kind of targets thereafter so you're able to uh either search the

the same keywords thereafter um and from this presentation you'll also see that uh the infection chain can be uh built in such a way that the merer only detonates if it knows it it's it came from an ad being clicked by a victim uh so quick quick uh um how it works so the regular K kill chain is very uh easy so a user searches for some keyword they're presented with an ad that matches the search they click the ad and they end up in a fishing website so from here the the consequen will depend on the kind of uh attack that's going on so it can be something like credential or data farming it can be

some kind of fake download website or it could even be some something very simple like some support scam like tech support scam stuff like that uh so in the images here you can see so the top image is just like a a support scam where they don't even want you to click the ad they just want you to call that number uh and then you have the uh obsidian and the slack malvertising so the obsidian one if you can read it from from there um the actual URL uh is very suspicious it doesn't have anything to do with obsidian but the slack ads so it's it says it's going to slack.com but in reality it isn't uh so just these images

you're seeing here these are from um Jerome sugura which is a researcher from malware bites and he does a lot of research uh into malvertising so if you're interested in knowing what's going out there about all of these all all of these things I would suggest you to to follow him um so let's now move on to the uh specific campaign that we observed so how we discover it um and how the infection chain went so this will be very straightforward and easy to follow it's not uh very complicated uh we'll just focus on the main logic uh which will become handy for the analysis for the campaign analysis that goes after so the discovery so basically in

April we had uh um a flag for a Trojan downloader uh for a a file name that was name with the name notion. executable so notion is basically a utility application for taking notes and stuff like that uh and it was also being hosted by a typo squading domain uh so we we started looking at this in August uh and that's where we we found some references to domains uh related to malvertising based on on Jerome's uh uh work as well we we reach out to him uh and talked about it and it was also during that time in August that we also found some other um utilities being targeted so like slack Discord zoom and stuff like

that so quick uh tldr of the uh the uh infection chain that they were using so basically the victim would search for the application so it would be notion slack or whatever uh and they're presented with an ad uh the victim would click that ad and they would go through a redirection chain uh so the purpose of this chain was to validate the user so they want want to know that when the the the victim reach their uh um fishing website they came from the from clicking the ad so if you visited the website without coming from the ad it would show a different website um and when once you're at the website you would download

a fake installer this fake installer would then just basically set up some basic persistence and down and uh drop the the final payload uh before actually even fetching the legit application and installing it on your uh computer so so with this in mind we can now look at the more specific details of each of these steps so uh from here one to three so this was basically the uh the flow you you would see so you would search for example notion you would be presented with something that looks like notion uh you would click it you would end on the uh an exact copy of the notion website and then when you download it here you can see on the uh three uh you

would end up with the binary uh and the the relevant point here is so in the 3.1 you can see that there are actually three redirects uh before you end up on the website so um we believe uh we're fairly certain that these redirects besides being monitoring the ad clicks they were also part of the user validation to make sure that the user when he landed on the website he was coming from the ad uh and in the 3.2 uh when the when the user downloads a fake installer we see two other URLs being served so we believe that this is related to whitelisting the IP and this will become relevant further uh further down the line because uh you only be be

uh able to uh go through the entire chain if your IP was Whit listed so here yeah I think you can see it all right so here it's basically the first stage so this is what the uh the binary downloaded has so it was a um a fake installer which was simply a net self-contained uh application so basically this just includes AET runtime in libraries which makes the application uh significantly large so with around 200 megabytes um the actual payload is just a very small DL that was embedded in the application and the single purpose of that DL was to fetch the the next stage um so again to to point out uh what's relevant here is that you

would only be able to hit that URL and to fetch uh the next stage if your IP was wh listed or if you provided uh valid U ID so this uu ID uh we'll see next is part of the next chain uh the next stage uh so if if your your computer was already infected you had a valid uid and you could also fetch the uh the second stage without having a whitelisted IP so the next the the second stage so basically is where we find all the logic so here we have the the diagram on on the right is basically a representation of the image on the left uh we can see that has basically four logical blocks

the first block um is basically to make sure the user is running the application as an administrator uh so basically it will just Loop uh calling run as and just showing the the calling run as with the application that was just downloaded uh then you you have a second block which is basically a very simple uh evasion and persistance technique so they would basically uh add the system drive to the Windows Defender exclusions um they would create the an application backup in the local app data so we would just create a folder name backup and place the application there and then um they would add that application as a task to the test schedule so every time

you would log on to the computer the this binary would be run uh so uh then on the third block is where the interesting part happens so this is where the script uh was would check for the uh C2 if it was up and validated and then it would uh download uh both um a key and an IV and a payload which would then decrypt and run it um at the end of that it would you can see there it will uh send the U ID to the uh to another uh endpoint just basically to validate so this uid was infected uh and this would be the final part of the the uh the dropping of the

payload and at the end the last block so like I was saying they were nice enough to uh download the actual application and install it for you uh what what's interesting here to note as that they were very lazy uh and I think you can read it on the um on the code uh so the function names the uh URL and the comments they all mention different applications so they were you can see they were actually targeting different applications but they were just basically just quickly modifying the script uh and just pushing the script to to the servers uh and finally so you have a final um section in the diagram that says uh listen for Server commands and

this is not present in this script and that's because so this was a functionality we observed maybe during a two week time periods um I guess they were probably trying to add some other kind of functionality to this dropper to be able to fetch other files we weren't able to get any commands from them but we know that it it was live during maybe two weeks and then they they take it off uh they took it off from the uh from the script so and at the end of this you would end up with a payload a final implant on your computer so basically we've seen all of the payloads they were fetching they were always encrypted with

AES or an unknown Cipher so we did not uh we weren't able to understand which Cipher it was and we believe that this was related to a similar but different infection chain which has some other script uh although the things we were able to decrypt we basically just did a quick validation on the families uh we just wanted to be aware that they were dropping Luma stealer uh stop rat and dark gate although the darkgate were not 100% confident on the detections um but it's a possibility and another thing is that they were quite consistent on the drops so they weren't constantly changing uh the binaries the the binaries barely changed during this time period where we were analyzing um the

infection chain so uh moving on to the uh threat actors and their infrastructure so the purpose of the following slides is to give you an overview of their infrastructure uh and followed by how a screw up on their side led us to some interesting logging files which then provide us a way to measure the infections uh that they were they were having uh in that uh campaign okay so uh in this overview the point here is just to show you that uh from this very little amount of information we were able to keep track uh of their activities so sometimes this very little things go a long way uh we saw that they were using a very small

set of providers for their um uh for their infrastructure um interesting we saw that the DL that they were dropping always had one of three users so I started calling them the three stoes uh so basically it was either MPX and nvl and Dimitri so and interestingly enough this was more than enough to hunt for uh new were DLS that were being pushed because they always left this there um and also interestingly enough is that they they had at least some segregation of stages so we can say that the fishing uh website you can call it like the first stage uh and then the second sh second stage which is basically the c2s they would never mix up uh

infrastructure between them uh we did see um one uh fishing website um so one IP sharing two different fishing websites uh and on the uh C2 side we actually saw seven different domains sharing uh the same IP so the the the same stages they were actually sharing infrastructure between uh on the on on on themselves so moving on to more interesting things about their infrastructure um so basically uh exploring the infrastructure and trying to understand what was available uh so not surprising they had they were hosting the uh the backend panels on these second stage uh uh infrastructure so the c2s um we did not explore uh the um the panel itself but uh what we did

find which was way more interesting was that uh there had they had one server which uh probably was missing the index HTML file so it was listing the root directory of their server and from there we found out they had some very interesting logging files available uh which we I will discuss next um besides the logging files you can see they had a file called s ip. PHP so we are not sure about what where it was being used we imagine based on the name that was probably related to all of that Val user validation or IP validation something like that um but since we had very interesting data from the uh the log files we we just uh explored

that so the IP is. txe file so as you imagined uh very straightforward so basically this was just a list of ips um what we noticed is that the the file uh had the IPS sorted and after a huge amount of ips the IP started becoming random uh so what we believe that they were basically just copying the file between servers and probably just sorting the file be uh to analyze something um we did notice as well as well that there were two very uh High uh hits for uh for IP so those 3,600 and 15 1,500 hits um so I would believe that maybe and this is something that threat actors do is they test their infrastructure a lot so

I wouldn't be surprised if one of those IPS could be related uh through their development phase where they probably were test testing the uh the infrastructure testing the deployment of the infection chain and so on uh so besides that we don't have a very specific idea on the purpose of the file so maybe it was to control the access to the fishing websit maybe the access to the other stages it could be like the in infection Telemetry um although the number of unique IPS we saw was a little bit too high for it to be actual infection Telemetry uh and next we have The UU ID files so this is very similar to the IP

files in a sense they just kept a record of The UU IDs um so we consider that this might be either keeping track of the requests coming from the endpoint that receive a uid or if you remember back to the diagram where they would send a post request with the uid this could be for example a place where they would just registered that um uu ID as someone that just was infected um so given the difference in numbers from this file so 1,700 to uh 17K uh from the other file uh so we might believe that these could be related to somewhat different uh infection chains that uh we did not have visibility onto um and actually at some

point we did see uh one of the domain one of the uh cus uh providing a a second stage script that was not sending the U uh the uid of the infected machine so it can be it could explain the discrepancy we see between the numbers of the IPS and the U IDs so moving on to some more interesting files so one of them was the exess log um so this basically showed time stamps and either the access for a given IP was approved or denied uh we saw that there were a lot more um approved IPS uh than denied uh again we are not sure about the purpose of this file um because a lot of ips were

approved um maybe it's related to some kind of access validation to the script the fishing website or or something similar uh and now so this this is one of one version of the the most interesting file we found so the access txt file uh is basically um again it shows the time stamps and also shows access denied or uh allowed or approved for a given IP uh so this was most likely and here we fairly confident this this was highly connected to the infection chain um although we cannot discard being related to something else uh but based on uh they always had the same pattern of a given IP would always show access allowed get code and then

access approv IP um so this was very interesting but this doesn't fit the infection chain that we saw uh but there was another version of the xess DXE file um which was very uh uh promising so basically this version um was clearly uh connected to our infection chain uh we can see that because uh they were they were referencing the two. PHP and the 3. HP um files uh and they also had a very specific pattern which was you had access allowed followed by two PHP followed by three PHP so a given IP would always follow uh this pattern um and basically where you see uh not provided uh on the top so this basically

uh we assume this means it's a new infection because the computer does not have the uid file uh written to dis yet so the the IP has to be Whit listed for the for they to be able to reach two and three p p uh PHP otherwise the system would just say access uh denied so this this was basically the the most interesting thing and gave us um a very good potential to be used to have to get some accurate numbers on uh how they were how that their campaign was going which is what we are uh going to look at next so uh now that we have we know about the logic of the infections so we

know the exact steps that the infection chain takes uh we have access to the logs from the c2s that apparently show very promising information we can now put that together uh to try to derive some Telemetry information uh so the next slides will focus pretty much on that uh we'll start by taking a quick look at the timeline of the domains when they were used um to give a better uh temporal context uh and then we'll basically will Define the methodology we use to measure the infections and the outcome of the of those uh and so before moving on to next slide I just want to apologize for the messiness of this next slides which is

this so uh so bear with me so this is a snippet of the fishing domains as well as the C2 domains that we uh were aware of uh so so to describe the image so on the middle you can see the timeline uh so this for the current year uh between April and mid November everything that's uh over above the line are the uh fishing domains and everything that's below the line are the uh C2 domains uh so the length of uh a line for a given domain represents when we know that domain was active and so they had the DNS record that was active for the campaign it doesn't mean it was like a a um it was taken down or something

and and pointing to somewhere else so we know that during that time it was actually active um so another thing to point out is even though you might see uh this different domains on the same line so that that doesn't have any specific meaning it's just a way to make sure I could fit more things into into the image uh so if if we look at the at the um the length of the fishing domains uh we can see that they're active for a smaller time period uh than the C2 domains uh so it means that most likely uh the same C2 domain was being used between different uh fishing domains and one another interesting interesting

thing is that uh you can note that uh currently so on the bottom of the of the image there are a lot of domains that appear to still be active uh and they're not so what happens is although the IP is is the same IP that was serving uh the c2s when we try to connect to it it accepts the connections but it doesn't return anything so uh at first we thought maybe they were using uh these IPS as some kind of reverse proxies for some other back ends uh but this doesn't uh doesn't fit into the uh the other the the the things we we we had from the um log files because uh different um

domains had different log files so most likely they were actually different servers so the reverse proxy idea does not hold um for this we know exactly how to explain this Behavior so um something um interesting to to consider so with this uh being said so what we did is so basically all of those bottom uh domains we collected the logs that we could um uh from them to be able to use it as Telemetry and to mine the Telemetry so um how did we approach this so going back to the file contents uh you can see so we have uh block one and block two uh those Square uh in green uh what we did is we concon all

the X txt files and then we dropped uh the time St we dropped all the duplicates which it it doesn't have any meaning duplicate lines because they have time stamps so if it's the exact same L same line it doesn't have any uh relevant meaning uh and since the files were being moved between servers and we observe this because the file so files on different servers would have the exact same beginning lines and then if an older server stopped being used you would see that the newer server would have uh more lines in it um and then basically what we did to to measure we basically assumed that okay so if we see an entry for a given IP and

then that IP hits 2. PHP followed by 3. PHP and there's no U ID uh given we assume that's a new infection and we have some confidence that it's new and it's legit because the IP again the IP has to be WID listed for it to uh to be able to reach two and three. PHP uh the other case would be that if we saw an IP hitting uh the three end points uh with a uid so we would assume this would be uh an already existing infection and we wouldn't count it as a new infections uh so basically we were more focused on the new infections um and we pretty much discarded everything that was just checking in uh uh about

just checking in So based on this so what we the the the files we were able to obtain from five different domains so this was between the 23rd of July and the 29th of October uh so the numbers we observe based on that methodology was that uh we had a little over 3,000 unique IPS for that time period uh spanning over 10,000 records uh what's interesting and you'll see on a graph uh further down is that the average this gives around 31 infections new infections per day on average but the median was five daily infections um uh which is interesting there's such a different um number between the the the average and the the median for for the

the new infections okay so looking at this uh Geo distribution so this again this is all for Unique IPS and it's based on the access txe file for that specific time period um so it's interesting that we see a big incidence in Europe so it would be around 80% of the uh infections uh for Unique IPS were coming from Europe so uh on the table those are basically the top 10 uh um numbers for each country and uh if if there's only Australia and Canada that are not in Europe all the other um countries are part in Europe part of Europe so this kind of hints at what they were targeting and again so since they were

using malvertising to distribute the malware we cons can consider okay so they were actively targeting specific countries which you can easily do on an ad uh so again so we can pin down so even though they were targeting a no slack notion Etc we also know that they were also targeting uh these specific uh countries again taking into consideration this is a small this is a subset of their entire operation I believe because we were fairly certain that at this point that they had some other infection chain so this is just a small set um of everything they had so take that with a gra of Sal uh but interesting numbers nonetheless okay so about the timelines

so this is why it's uh that you saw that difference between the average and the median um so what we saw is uh when we measured the new infections we see those spikes uh in July August and October and those are quite huge spikes so those are around four over 400s both in August and October um and apart from August where we see a healthy and for lack of a better word we see a healthy number of infections uh throughout the month so we don't know that maybe they they wanted to invest uh on pushing ads during that period um and this I I even considered so I don't know if you ever pushed an ad

so basically you can Define um how much you want to spend per day uh I don't know if they uh didn't set a limit a budget limit for daily uh ad to be for an N to be shown which could probably explain why they have a huge Spike and then it normalizes for example after like the third bar they would maybe set up okay so let's just spend like maybe 10 or or 20 EUR uh per day on ads and which would explain why the the long tail on the the rest of the month um so again the the dead zones uh we we believe that they it doesn't mean they weren't active it means that

probably they were had that slight slightly different infection chain uh because again based on our methodology we know that we were uh targeting some that very specific file and counting the numbers from that very specific file if if if I start if I pushed if I showed like the numbers for the 20,000 uh 177,000 um IPS I'm sure this would would show a lot more hits uh but again so this is just a small subset of um of their operation um um and so with this uh I just wanted to to close with uh that so we looked at this the campaign from these basically the three stoes uh which most likely it can even be the the same

user with uh with different usernames most likely doesn't have any specific meaning uh we saw that uh 3,000 infections on this that time span of three months which seems um quite a relevant number uh we saw that it's a high incidence in Europe for that specific infection chain um we we also believe that the the ttps most likely change not only because we know that they have slightly different infection chains but uh I stopped seeing uh activity on those lock files so I believe they might be uh moving on to something different uh and again this goes to show that malvertising as a distribution is quite interesting so we we just offload all the distribution efforts someone

else we just pay a legitimate vendor and so here's who I want to Target here's the country what they are searching for uh I mean if if you have during this this investigation I tried to publish uh an ad uh to see so it's it's very interesting the amount of customization you can you can have and this is very good for the threat actors to be able to so easily acces very specific victims um so and if it wasn't for their uh screw up on the opsc sides we probably wouldn't be able to have this information because again you would have to be able to know exactly uh what the ad wanted you to come from probably it

was a refer or whatever uh but you wanted you need you needed to to know the exact uh steps to be able to go through the entire infection chain which makes it harder to detect because if you if you just send the the fake installer to virus to or whatever it won't detonate so and it will probably I'm not sure if it will even detect proba it will give some detection because it's fetching uh something from uh from somewhere else uh but again you won't see what it's dropping which is good for them because they want to hide their final payloads uh so I don't know exactly what we can do about this so um

I think uh we can this goes back to basis so we we humans are always the weakest link so I think we should keep educating users on these vectors which keep being using more and more um one might consider that add blockers might be a first measure a first blocking measure although it's it's kind it's you're actively blocking actually a legitimate service so it's debatable of you know um of if you should do it or not um there's also maybe some kind of work from the some from the vendors that are s selling uh the ad networks um so some of them already um applies some measures to uh show show they have initiatives like the transparency

initiative so where basically I don't know if you ever noticed but if you're shown on ads uh specifically on Google you can actually see who is publishing that ads and based on the publisher ID you can go to the transparency uh site for the ads and you can actually list all the ads from that specific publisher so this gives you an an understanding and it's actually a a good way to see okay so if this is a um a malvertising um ads let me search if this this uh actor is pushing something else or what or whatever um and also again as I was trying to publish an ad uh um although I I didn't do it because uh of etical

reasons uh I did find out that they do some automatic validation so if you try to uh to publish an ad about that relates to finance they block you um so and basically the automation blocks you and you have to manually say yeah just review my my request uh which it will probably be blocked because it was a very obvious small advertising um thing so yeah so I'll leave you with this um thank you everyone I don't know if you have any questions uh you can find me on uh on on X masteron or blue sky whatever is your flavor uh so yeah [Applause]