Landing Page Screenshots:
Malicious Tactics Used:
- Device Fingerprinting
- Sandbox Detection
Affected Platform: Google Ad Exchange
When the malicious ad is displayed to user, the ad simultaneously loads and executes "https://media[.]aso1[.]net/storage/1/7/9/17990c17291a58844865bdd7f0b818cbe561700d/index[.]html" in the background.
The threat actor has heavily obfuscated the malicious code to evade detection and carry out the redirect attack. Thus making it difficult for malware researchers to de-obfuscate and understand the malware behavior. Threat actors always use a wide variety of techniques for obfuscating the malicious code. In our case, they've used the "CryptoJS AES Encryption" technique for obfuscation.
var decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase");
CryptoJS supports AES-128, AES-192, and AES-256. It will pick the variant by the size of the key you pass in. If you use a passphrase, then it will generate a 256-bit key. In order to decrypt the malicious code, we may need a decryption key which is present in the code itself.
The malicious code creates a canvas element and does some hashing process on the executed real time machine and compares the generated hash value with the hard coded list of hash values. They won't carry out the redirect if the hashes match.
If the code finds any anti-malvertising vendors, they try to void the following entities on the current frame and also on the main parent frame which means they don't run these functions when they find any anti-malvertising vendors present on the creative.
They have used an "ontouchstart" event that will get triggered once the element is touched which happens only on mobile touch environments. From this, we can understand that the threat actor targets mobile phones. The code contains the "getTimezoneOffset" method which is used to return the time difference between Universal Coordinated Time (UTC) and local time, in minutes. By using this method, they can find the timezone/location of the executed ad.
The malicious code listens to some event listeners and checks if the events are from a real user or from some automated testing environment. The malicious redirect happens only when there is a real click/mousedown/scroll/keydown etc.
We have seen a concerning volume of ads from this malicious campaign across both desktop and mobile devices.