ICEPick-3PC: New Malware Steals Device IP En Masse

Authored by Michael Bittner, Digital Security & Operations Manager at The Media Trust.

Advertising agencies and marketers will need to rethink their priorities when deciding to move from managed services to a self-service platform. In December, The Media Trust’s Digital Security & Operations (DSO) team identified a malware strain that executes after hackers hijack a website’s third-party tools, which are designed to incorporate interactive web content, such as animation via HTML5. These third-party tools are often pre-loaded onto client platforms by self-service agencies. The malware affected more than 100 clients of The Media Trust, including recognized publishers and e-commerce businesses in retail, healthcare, and a variety of other industries.

Named “ICEPick-3PC” (with a nod to the ICE protocol used to establish an RTC peer connection) by The Media Trust, the malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer. Interestingly, the check on referrer is made to avoid known malware scanners like The Media Trust, and the check on battery level was observed as recently as the fall of 2018 in another malware. That ICEPick-3PC appears to target Android devices is likely because their open-source-specific vulnerabilities are known. Once the malware determines it has infected an Android device and has cleared the other checks, it makes an RTC peer connection between the infected device and a remote peer, then sends the extracted device IP to the remote device. 

Compromised Websites Enable Future Attacks 

When users visit a website with a compromised third-party library, the malware examines the user device before downloading. The extraction and collection of IPs represents the largest scale of IP theft the DSO has observed to date and marks a significant advancement in malware authoring, as stealing IP en masse with such efficiency demands rarefied coding skills. But now that this malware has overcome such hurdles and even breaks through VPNs in order to intercept IPs, it enables bad actors to identify users’ device vulnerabilities, and leaves the devices wide open for exploit targeting and potential future attacks. 

Earlier sightings of this malware date back to the spring of 2018, when it was used to spam device owners with redirects to phishing content that congratulates them for (falsely) winning a Walmart or Amazon card and prompts them to enter sensitive information, which goes directly to a malicious command and control server. As the year progressed, the malware picked up new capabilities that blaze new trails in stealth and persistence and can be used to target users for attackers’ political and financial gain.

The DSO suspects, given the malware’s level of sophistication and advanced techniques, that it is likely the product of dark code from organized cybercrime rings. If this is the case, the attack on recognized publishers and e-commerce businesses might portend a larger-scale attack, or, at the minimum, the illegal trading of user information in the near future.

Find Out, Root Out, and Keep Out ICEPick-3PC

Most offending self-service agencies use the GreenSock Animation Platform (GSAP), a library of JavaScript tools for HTML5 animations. Malicious code is injected into TweenMax, one of GSAP’s most popular tools, and CreateJS, another suite of tools, while self-service agencies implement the libraries on a website. The delivery of the malicious ads triggers the redirections. 

In order to protect sites from this malware, publishers and e-commerce businesses should thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders. They can also detect such offenders by scanning interactive ads and site pages for unauthorized code.