A large-scale malvertising campaign distributing the Lumma infostealer malware via intrusive “ads” leading to fake CAPTCHA pages has been tied by researchers to a threat actor abusing the Monetag ad network.
The campaign from the users’ perspective
Internet users usually land on one of the many thousands SEO-optimized sites using Monetag ad-zone scripts after searching for things like streaming videos, anime, sports, academic documents, etc.
The scripts pop open a new tab, which redirects users to a fake CAPTCHA page that instructs them to verify that they are human by pressing a set of buttons in a specific order.
These actions make it so that the victim pastes a PowerShell script into a Run dialog box and unknowingly executes it by pressing the OK button.
“The malicious pages are frequently updated with new variants to evade detection. Those use different PowerShell one-liners, different script obfuscation to copy the PowerShell script to the clipboard, as well as changes in visual design,” Guardio Labs researchers discovered.
The PowerShell scripts download and execute the powerful Lumma infostealer, just like in these previously flagged campaigns (that may or may not be just one of the stages of this one documented by Guardio).
The campaign from the researchers’ perspective
“In collaboration with Infoblox and through meticulous deobfuscation of JavaScript snippets responsible for triggering ad events, we identified the ad network service responsible—Monetag. Monetag is a subsidiary of PropellerAds, a large ad network company based in Cyprus,” Guardio Labs researchers shared.
The ad network is being leveraged by a threat actor – previously dubbed “Vane Viper” by Infoblox researchers – to distribute malware at a large scale.
The threat actor is using obfuscated scripts, redirect chains, and ad-tracking services like BeMob to conceal their malicious pages and intent from the ad network’s moderators.
The malvertising attack flow (Source: Guardio Labs)
“Over just the past ten days, our analysis estimated up to 1M ‘ad impressions’ per day, arriving from around 3000+ publisher sites,” the researchers pointed out.
A concentrated effort is needed to protect internet users
The researchers have outlined the flawed ecosystem and buck passing strategy that makes campaigns such as these possible:
- Ad networks use ad scripts that essentially “hijack” sites, invasive pop-ups, obfuscated scripts to circumvent ad blockers, direct links that can be posted on social media or in instant messages, etc., and claim they cannot moderate the “ads” because of cloaking
- Publishers of SEO-optimized (cloned) sites with click-baity content – based on ready-to-deploy website templates or created with the help of specialized services (“Streaming As A Service”) – say they are just monetizing their websites via third-party services
- Hosting services are failing to promptly identify and take down malicious pages hosted on their infrastructure
- Ad-tracking services saying they are just an analytics tool and cannot be responsible for the malicious ads.
“This fragmented chain of ownership creates a perfect storm of plausible deniability, making it exceptionally difficult to pinpoint and enforce accountability. It’s a system designed to shift blame while allowing malicious campaigns to thrive,” Guardio Labs says.
“Ad networks must prioritize ongoing content moderation, robust account validation to prevent fake registrations, and more accessible reporting mechanisms for the cybersecurity community. Waiting for external reports to address such abuses is not enough. These systems require continuous oversight to protect not just their clients but all internet users.”
