Spike in mobile-targeting Ghostcat malware draws attention to new evasive measures
- 40% jump in Ghostcat-3PC sightings via additional DSPs throughout March 2021
- New variants stripped of creative and landing pages, only containing heavily obscured malicious code
- Continuous client-side scanning to uncover evolving threats
- Counteract fingerprinting and cloaking by executing scans from various geographic locations and devices
- Reconsider relationships with partners continually platforming Ghostcat buyers
Since first catalogued by The Media Trust in 2019, Ghostcat-3PC has kept up a steady presence in the digital advertising ecosystem. Leveraging multi-step campaigns involving fingerprints and advanced obfuscated code, Ghostcat continually targets mobile devices with redirects to scam pages, delivery of adware, and even drive-by downloads.
But this malware has not maintained its status quo—a recent spike in distinct incidents revealed that Ghostcat has evolved in troubling ways (see Figure 1).
March saw a 40% month-over-month hike in Ghostcat incidents (note: a single incident can represent thousands of impressions) primarily in the US. While distinct incidents rose, the total number of scans declined, which can be attributed to platforms briskly shutting down campaigns as soon as the malware was detected.
In addition to a presence in numerous prominent buy-side platforms, Ghostcat is now detected across several new DSPs where it has not been seen before—some with large Asia-Pacific footprints. As realized in previous incidents (ICEPick-3PC in summer 2020), this activity is likely in preparation for a larger scale attack.
Ghostcat evolves to evade detection
Newer Ghostcat variants leverage multiple host domains to send their malware—a primary URL that signals a secondary one to send the actual malicious payload. The Media Trust’s malware desk has observed Ghostcat cycling multiple primary hosts daily to evade detection.
Missing ad elements aid in evasion
Ghostcat malware has changed into a streamlined malicious code delivery system by ditching creative and landing pages (see Figure 2). When served into a non-target environment, Ghostcat delivers nothing, often leaving an empty iframe or the occasional quixotic pink box (see Figure 3) This “obfuscation by omission” makes it difficult to not only detect a Ghostcat campaign, but also block it in real time.
Creative audits as first line of defense
The lack of included creative and landing page betrays an astonishing level of confidence bordering on arrogance regarding Ghostcat’s access to digital buying platforms. A campaign missing such critical elements—the most essential in digital advertising—should not pass an initial creative audit.
Platforms will have to reconsider their partnerships with upstream buying platforms that continually let Ghostcat slip through. Turning a blind eye to such obvious malware should have consequences.
- Continuous client side scanning to identify behavioral in known threats
- Counteract cloaking schemes through by variating geographic and device profiles
- Monitor upstream partners for repeated violations