Malvertising (malicious advertising) refers to the practice of embedding harmful code within online advertisements, which can lead to malware infections on users’ devices.
This technique often exploits legitimate advertising networks, making it difficult for both users and publishers to detect infected ads.
Recently, the Gen Digital researchers found that a malvertising campaign dubbed “AliGater,” has been actively chasing users of outdated windows in Europe.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
AliGater Attacking Outdated Windows Users
AliGater is a sophisticated malvertising platform that primarily targets the outdated Windows (7 SP1, 8.1) and Chrome versions, mostly in Europe.
The attack chain begins with malicious ads redirecting to aligate.homes, which fingerprints users via “User-Agent” strings.
Here, the exploitable targets encounter a fake CAPTCHA loading “captcha.js” from a dynamic “*.shop” domain.
This script analyzes the victim’s environment (architecture, platform, WebGL, Chrome version) and delivers tailored exploits for the V8 JavaScript engine (CVE-2023-2033) and Windows TrueType font parsing (CVE-2011-3402).
The multi-stage payload utilizes the following things:-
- WebAssembly
- XOR encryption
- Shellcode injection
- Process hollowing
Besides this, it creates elevated processes masquerading as legitimate Windows executables (“dllhost.exe,” “SearchIndexer.exe,” “spoolsv.exe,” “svchost.exe,” “taskhost.exe”) to deploy the Lumma stealer.
The attack employs syscall requests and targets specific user agents. The most frequently targeted user agent is “Mozilla/5.0 (Windows NT 10.0, Win64, x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36”, highlighting the specific versions vulnerable to this attack.
AliGater’s infrastructure uses rapidly changing subdomains (format: {random_chars}.{two_random_words}.shop) and IP addresses within consistent ASNs.
Interestingly, AliGater shares several characteristics with the Magniber ransomware campaign, including targeting methodology, unusual syscall invocation techniques, and similar string encryption methods.
This suggests a possible connection or shared codebase between the two threats, potentially indicating that Magniber’s authors are offering their infrastructure as a service.
While the final payload delivered via this elaborate chain has been identified as the Lumma stealer, the infrastructure could potentially be used to distribute other types of malware as well.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial