This article was authored by Mike Bittner, Associate Director of Digital Security & Operations at The Media Trust.
A Seemingly Common Attack
The Media Trust has uncovered malicious campaigns streaming through one of the world’s largest global demand-side (DSP) adtech providers. The team detected the attacks while monitoring premium websites and mobile apps on devices using iOS version 12. Hiding within a PNG file to escape detection and persist, the malware behind the attack, named Stegoware-3PC by the Digital Security & Operations (DSO) team, automatically redirects site visitors to a phishing scam. At least five top-tier publishers, three demand-side vendors, and 11 other adtech vendors were exploited to serve malware to tens of millions of consumers.
This phishing scam masquerades as ads from a well-known e-commerce retailer, an outdoor apparel manufacturer, or other widely known brands. The ads prompt visitors to shop and, in so doing, enter their personal information. The malware exfiltrates the information and sends it to a malicious command and control server.
The DSO provided the DSP that was spreading the malware with a Buyer Seat ID number, which the latter used to provide direct attribution to the source of the malware. The team also notified and shared the digital threat intelligence with clients and their upstream partners to help them also identify the malicious buyer and shut down the evolving attacks.
A New Standard in Detection-Avoidance Techniques and Procedures
Steganography and images embedded with malware are not new to the digital advertising ecosystem. Stegoware-3PC’s tactics and techniques reflect important strides in malware authorship. It was written with an economy of code—only 149 lines to be exact. By contrast, ShapeShifter-3PC, another malware that used multiple malicious domains, contained more than 2,000 lines of code. Yet Stegoware-3PC’s parsimonious use of code belies its sophisticated techniques and procedures: it triggers two PNG files that conceal malicious code, makes use of multiple malicious domains once the users are redirected, and conducts various checks to make sure it is executing in an iOS device and not an Android device, a sandbox, or virtual machine.
The malware delivery kit runs two sets of checks, each one directed by malicious code within the PNG files.
First PNG File
During the adload process, the malware triggers a zero-width PNG file containing malicious code that tries to ensure that it is rendering on an actual web page and that an actual user is viewing the ad. It conducts the following checks:
- The webpage is encoded in UTF-8, the preferred encoding for webpages.
- A touchmove event has occurred, indicating a user has moved their finger across the screen.
When both conditions are met, the malware delivers another zero-width PNG file.
Second PNG File
The second zero-width PNG file contains malicious code to determine whether or not the user’s device is an Apple product. To do this, the code performs the following checks:
- ProductSub is equal to “20030107” to indicate that the code will run on Apple Safari or Google Chrome.
- Pixels per inch is less than 8000 to identify and select older, less secure devices. Newer, updated devices have ppi of at least 8000.
- UNMASKED_VENDOR_WEBGL contains "Apple Inc" to ensure the code is executing on an Apple device.
- Navigator.platform, which shows whether the browser’s platform is an iPhone or iPad.
- Window.orientation is NOT equal to “0”. An orientation of zero indicates a device lying horizontally and likely not in the hands of a real user. This check attempts to evade scanning.
- The device supports 32-bit color, to avoid older desktops, which support 16-24-bit color.
The malware will not redirect users of Android devices.
Another Blocker Fails
Stegoware-3PC’s techniques prevented the DSP’s malware blocking solution from detecting it. The blocker’s failure is important to note as a growing number of digital supply chain players subscribe solely to conventional blockers that promise security and convenience. Such blockers often check domains that run in an ad rather than those that can access a webpage. Malicious domains, in general, have a brief shelf life by design. Moreover, those that access a page exist in far greater numbers than those found in an ad. More important, the tempo of new attacks—one every 30 seconds, on average--outpaces the updates on many conventional blockers. Therefore, solutions based on the stability or lengthy duration of domains or on the analysis of domains to trail malicious actors are no match for the evolving sophistication of adversary tradecraft.
The main take-away from this incident is simple: today’s sophisticated, constantly changing attacks are designed to outmaneuver signature-based defenses like blockers. Publishers and their tech vendors must take a digital risk management approach that combines continuous monitoring of the digital ecosystem for suspicious or unauthorized code, using a smart blocker that receives updates every few minutes, and working with digital partners and third parties on sharing and applying digital threat intelligence to keep out or resolve any issues with unauthorized code.