This article originally appeared in SC Magazine on October 2, 2019.
The cat came back the very next day… and it keeps coming back.
A malvertising operation designed to infect online publishers with browser-hijacking malware called Ghostcat-3PC has launched at least 18 separate infection campaigns in the last three months alone, according to a new report from the Digital Security & Operations (DSO) team at The Media Trust. Over that time, the DSO team stopped more than 130 distinct attacks, the report continues.
So far, it appears that Ghostcat’s owners have been targeting website visitors based in the U.S. and Europe, with a goal to hijack their mobile browser sessions. At this point, there are at least four different versions of the malware, which leverage obfuscated code and delivery patterns to avoid signature-based detection.
An infection starts when a user visits a website and is delivered a malicious advertisement. At this point, the Ghostcat malware fingerprints the browser to determine if the ad is running on a genuine web page (as opposed to a sandbox environment) and if it’s running on one of over 100 specifically targeted publishers. If the answer to both questions is yes, then a malicious concatenated URL is served.
This URL delivers obfuscated JavaScript that, following its decryption, executes embedded code that checks for additional conditions. The malware ensures that the code has been sent to a mobile device and a mobile-specific browser, that the user device is located in a targeted country, and that the code is not running in a sandbox environment.
“If the checks concluded that the user fit the targeted profile, the malware would append a malicious script to the end of the page, assigning the obfuscated URL as its source, and initiate a fraudulent popup,” the report states. “This popup, if clicked, would lead the user to malicious content.”
The attackers behind this campaign split and obfuscate their URLs as trick to fool publishers’ blocker scripts, preventing them from detecting any malicious signatures and identifying dangerous domains, The Media Trust reports.
“The DSO continues to track the attack, knowing more incidents involving other iterations of the malicious code is likely still out in the wild, attacking poorly protected websites and infecting their users,” the report says. In the meantime, The Media Trust recommends that publishers review their logs for the presence of malicious domains, implement smart blockers, and coordinate with upstream digital partners to remove malicious ads.