Malware thrives in a blocking world

Malware thrives in a blocking world
featured image

This article originally appeared in Digital Content Next on October 14, 2019.

Security professionals continue to tell us that the threat landscape is constantly evolving and it’s not uncommon for The Media Trust’s Digital Security & Operations (DSO) team to discover a new threat firsthand. For example, the industry has been testing the effectiveness of malware blockers in lieu of scrutinizing code in the ecosystem. Unfortunately, the result is that publishers are experiencing larger, more penetrating attacks.

A current attack, named Ghostcat-3PC by our DSO, involves malware running behind the scenes. It slips through third-party feed-based malware blockers in order to hijack mobile browser sessions in the U.S. and Europe. Over the course of three months, the DSO discovered more than 130 different outbreaks related to this attack that affected hundreds of well-known publishers.

We detected the malicious ad while analyzing suspicious code from ad files hosted on two cloud platforms, one of which had the URL: qing.js. The malware hid in an ad served to publisher websites. When the malicious ad was delivered to the browser, it lifted browser fingerprints and used them to check whether the ad was running on one of 100+ publishers it was targeting. Each campaign centered on code containing its own list of 100+ publishers that was distinct from the lists of the other campaigns.

Exploiting defense security weakness

The malware achieved persistence by disguising malicious code – either by cloaking it with additional characters at both ends or splicing with additional characters. Most blockers work by detecting known malicious code found in an ad tag or on a publisher site. If the malicious code fails to match any code on the blocker’s keyword list, it will run as designed. Any change to the targeted code, no matter how minor, will prevent the blocker from recognizing it as a threat.

Knowing blockers’ fundamental weakness, attackers split the URL of the malicious domain, qing.js. In this scenario, blockers on the lookout for “qing.js” failed to recognize the disguised URL and therefore allowed it to run. For good measure, the attackers also used hexadecimal encoding to add a layer of obfuscation to the concatenated URL and the JavaScript file that delivered it.

These changes to the URL, combined with the large number of subdomains in use, made the attacks hard to detect and, even once discovered, hard to follow. Obfuscation blurred any connection between the subdomains and the ads, making these links impossible to find except by experts who find and track evolving threat patterns. 

Tracking the progress of this massive attack

The malicious attack was out of the ordinary — not only in sophistication but also in scale. The Media Trust identified and rebuffed more than 130 outbreaks linking back to 18 strikingly similar malicious campaigns over just three months. In that period, the malware script morphed into four different versions, each one concatenating URLs to hide from blockers. This method of foiling blockers enabled attackers to repeatedly infiltrate the supply chain—unimpeded—and infect hundreds of publisher websites and their millions of users.

We noted the malvertiser’s use of a host and file naming convention. The pattern emerged once the number of split URLs hosting the malicious script and the number of infected ad campaigns appeared to have reached a critical mass. The convention seemed to associate the script with and track each campaign.

To track the script’s progress, file names and hosts varied with each campaign, and included the JavaScript file name and the image width. Note the strict naming convention for JavaScript file names, which includes the use of Chinese words for:

  • Numbers (“ba” means 8 and “si” means 4)
  • Elements (“shui” means water)
  • Basic colors (“huang” means yellow, “zi” means purple, “qing” means green, “cheng” means orange)
  • Animals(“niu” means cow)
  • Vehicles (“che” means car, “sanling” means Mitsubishi)

The URL naming convention suggests the involvement of a group of hackers who continually morph their code and URLs to track their progress. Their tracking did not end here. They appeared to also track the presence of known signature-based security defenses, perhaps to find out how each would respond to the malware. In other words, they might be tracking whether these security tools have been updated to recognize the code and impede its progress.

Protecting the digital ecosystem from this threat

Today’s new and emerging threats are designed to fool signature-based security tools by combining a number of advanced techniques in obfuscation and morphing. In such a challenging environment, the best defense is one that involves collaboration with the entire digital supply chain on identifying and rooting out malicious actors.

Clearly, as publishers embrace blockers’ set-and-forget convenience, malicious actors are taking note.  A single security solution will be no match against the thieves and fraudsters who continue to sharpen their saws. Nor will it fulfill the data security requirements of a rising number of data privacy laws like the upcoming California Consumer Privacy Act. More importantly, consumers are willing and able to vote with their feet—and file lawsuits. And they won’t entrust their business to companies that can’t be trusted with their data.