More ‘sophisticated’ malvertising sneaks past filters

A script found in malicious ads reveals signs of Cobalt Strike and ransomware, according to a Malwarebytes researcher.
article cover

Olemedia/Getty Images

· 4 min read

Usually when threat researcher Jérôme Segura finds malicious code inside of an advertisement—often referred to as “malvertising”—the executable code is one that’s easy to define: an info-stealer or installer, for example, that can be investigated in a sandbox environment.

The digital ad ecosystem has always been fraught with bad actors, but malicious ads are now more sophisticated than a bogus survey, coupon offer, or virus-removal tool that serves up harmful but identifiable code. Insidious instances like the one Segura found have “fingerprinting” techniques that mark specific users and enable a quick getaway.

Segura, senior director of threat research at the cybersecurity provider Malwarebytes, raised concerns after discovering malvertising that leads to a script—a potential sign of ransomware actors.

“The last few weeks, I’ve seen an increase in both the number of malicious ads, as well as the sophistication behind [them],” Segura told IT Brew.

The findings. Recent details from Malwarebytes revealed a malvertising campaign involving a phony version of the Notepad++ developer tool.

“It is unique in its way to fingerprint users and distribute time-sensitive payloads,” Segura wrote in an October post.

Any attempts to download the file from the same URL would lead to an error message, the report continued—a crafty dead-end for investigators.

The payload, which assigns victims with a unique ID, is a .hta (or HTML application) script. A .hta with a similar naming convention was found on VirusTotal in July, according to the Malwarebytes report. Dynamic analysis of that summer script revealed a connection to a remote domain (mybigeye[.]icu) on a custom port.

“While we don’t know what happens next, we believe this is part of malicious infrastructure used by threat actors to gain access to victims’ machines using tools such as Cobalt Strike,” Segura wrote in the post, referring to the network scoper

“Most of the malware we see deployed as a follow-up from Cobalt Strike is ransomware,” Segura told IT Brew.

Fraudsters hurt companies’ “return on ad spend” and the overall effectiveness of advertising and marketing campaigns, according to a recent report from Juniper Research. The marketing-research firm predicts 22% of the total value of 2023 global ad spending will be lost to ad fraud and a total of $84.2 billion for marketers.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The new high is a low. According to a new study from the ad-security platform Confiant, the 2023 Q1 security violation rate—calculated by dividing any ad impressions with issues by the total number of impressions monitored by the company—reached its highest point in 4 years.

Attackers have moved on from simplistic redirects, said John Murphy, chief strategy officer at Confiant.

“The industry does a good job of blocking those, preventing those, and we just don’t see them anymore,” Murphy told IT Brew. “So what’s left are these highly sophisticated threat actors who’ve turned this into a business who have dev teams, who have QA teams, who have people who are experts at identifying these vulnerabilities in browsers, experts in convincing people that they’re legitimate agencies and employing these very sophisticated techniques to evade detection.”

Aside from defenses like ad blockers and intrusion-detection systems, general human suspiciousness is helpful in the malvertising mess, like being cautious anytime a download link doesn’t lead to an official site.

“This is not 1998 internet, where it needs to do a bunch of crazy stuff to load a site to directly take you to Notepad++. You should be on that site directly,” Rob T. Lee, chief curriculum director at the SANS Institute, a cybersecurity education group, told IT Brew.

The Malwarebytes blog noted an increase in malicious ads on Google. “We don’t allow ads on our platform that contain malicious software,” said Google in a statement to IT Brew. “We’ve removed the ads in question that violated our policies and taken appropriate action against the associated accounts. We continue to see bad actors operate with more sophistication and at a greater scale, using a variety of tactics to evade our detection. We invest heavily in our ads safety efforts and have a team of thousands working around the clock to enforce our policies at scale.”

“The way we know about these attacks usually is from actual victims,” Segura said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.