Adversary Intelligence
8
mins read

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Vikas Kundu
Green Alert
Last Update posted on
February 3, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Vikas Kundu

Executive Summary

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them. To bypass detection mechanisms developed by these websites to uncover malicious domains, threat actors utilize a technique called a “Redirect Chain” wherein the malicious domain is served in the last redirect instead of embedding it in the popup ad banner. Although the technique is simple, the sheer scale of it is alarming as the threat actors have managed to utilize a massive network of 9,000+ domains to do the same. 

To shield against malicious advertisements on legitimate sites, install ad blockers and maintain updated software. Employ a comprehensive security suite, adjust browser settings, and be cautious of suspicious ads, verifying URLs before clicking. Stay informed about online threats, use click-to-play plugins, and consider a VPN for added privacy. 

Modus Operandi

Abusing Advertisement Services

The utilization of advertisements as a conduit for malware delivery has proven to be an exceedingly lucrative strategy for threat actors. The inherent nature of online ads, which are pervasive across the internet, offers an expansive and unsuspecting user base as potential victims. Malicious actors exploit the trust users place in legitimate advertising platforms, capitalizing on the vast reach and frequency of ad displays to maximize their impact. By compromising ad networks or embedding malicious code within seemingly harmless ads, threat actors can deliver malware, ranging from trojans to ransomware, directly to users' devices. This approach provides a cost-effective means for attackers to deploy their malicious payloads without the need for elaborate distribution mechanisms. Either the threat actors create accounts on these advertisement platforms using forged documents. Or in some cases, source the credentials for accounts on various advertisement websites from infostealer malware. 

The whole ecosystem feeds on itself and it is a complete cycle as the same sourced accounts are used to deliver info stealer malware and compromise more users.

Some of the popular advertisement services being abused by the threat actors are:

  • Adsterra
  • Rich Ads
  • Juicy Ads

Threat actors discussing using advertisement services to deliver malware on a dark web forum

Most advertisement services allow injecting domains along with the advertisement being shown which once clicked will redirect the user to that particular domain. However, injecting malicious domains into these ad banners can get the accounts being used by the threat actors blacklisted by advertisement platforms. Because most of them have mechanisms to stop malicious domains from being injected into the ad banners. To evade this, threat actors use a technique called a “Redirect Chain”.

The Redirect Chain

Once a user clicks on any of the advertisements being run by the threat actors they are taken to a domain that does not serve any kind of malware but merely redirects the user to the next domain. This is the first link in the chain and we may call it the “Fingerprinting Domain”.

The Fingerprinting Domain

This first domain runs scripts on the user’s browser and detects a variety of things such as whether the browser is running in an emulator, user device, region, etc. Based on this data and the type of ad banner clicked by the user it creates a unique profile for each user and assigns a parameter called ‘key’. This is unique for each user and this parameter is sent along with the get request to the next domain called the “Matcher Domain”.

The Matcher Domain

The “Matcher Domain” receives some parameters from the “Fingerprinting Domain” and based on that it decides which website to finally serve to the user. In the backend, it makes this decision based on factors such as the geolocation of the user, the preference of the user in clicking ads, etc. For instance, if someone clicks on a finance-related ad they are more likely to be redirected to crypto-related scam domains.  The domain even detects if the request is being made via VPN or a Tor and then serves the user a fixed domain or redirects them to Google.

Matcher Domain detecting VPN being used by a user

Final Domain

This is generally the malicious domain that either asks the users to download a particular software or to register on a betting website, or to enable notifications so that constant ads can be pushed by the user to the desktop. This domain is the last in the chain as 

A malicious final domain asking the user to enable notifications

A sample redirect chain in action can be seen here:  https://drive.google.com/file/d/1yeLJotDlZJviHKg-T_Gd06DSt5vEl8sk/view?usp=sharing

A high-level overview of the redirect chain

Infrastructure

What is alarming about this method used by the threat actors it the sheer scale of their infrastructure. We were able to identify 10 IP addresses, on each of which 9000+ domains have been pointed in the past 30 days! However since the IPs are being rotated, the unique count is 9442 domains. In order to obtain such a large number of domain names, the threat actors either use some sort of automation or source hacked websites that are already offered on sale in bulk on various dark web forums.

IP

ASN

173.233.137.36

AS 7979 ( SERVERS-COM )

173.233.137.44

AS 7979 ( SERVERS-COM )

173.233.137.52

AS 7979 ( SERVERS-COM )

173.233.137.60

AS 7979 ( SERVERS-COM )

173.233.139.164

AS 7979 ( SERVERS-COM )

192.243.59.12

AS 39572 ( DataWeb Global Group B.V. )

192.243.59.13

AS 39572 ( DataWeb Global Group B.V. )

192.243.59.20

AS 39572 ( DataWeb Global Group B.V. )

192.243.61.225

AS 39572 ( DataWeb Global Group B.V. )

192.243.61.227

AS 39572 ( DataWeb Global Group B.V. )



Certain Autonomous System Numbers (ASNs) have gained notoriety for their association with phishing and malware-related activities. This reputation often stems from a variety of factors such as:

  • One common issue is the presence of lax security measures within these ASNs, making them attractive targets for cybercriminals who exploit vulnerabilities and host malicious content. Additionally, some ASNs allow users to register services anonymously, providing a conducive environment for malicious actors to operate without easy identification. 
  • The concept of "bulletproof hosting" is prevalent, where specific ASNs or hosting providers intentionally overlook illegal activities, enabling the hosting of phishing sites and the distribution of malware. 
  • Compromised networks, whether due to inadequate security or compromised credentials, can unknowingly facilitate these malicious activities. 
  • Another contributing factor is the failure of some ASNs to promptly respond to abuse reports or take sufficient action against illicit activities on their networks. Rapid changes in ASN ownership or management may signal instability, creating an environment where phishing and malware attacks can thrive. 

Some of the ASNs that we were able to identify associated with the campaign and have been reported for phishing, malware, etc. are as follows::

IP

ASN

Report

173.233.137.36

AS 7979 ( SERVERS-COM )

https://www.malwareurl.com/ns_listing.php?as=AS7979

192.243.59.12

AS 39572 ( DataWeb Global Group B.V. )

https://www.malwareurl.com/ns_listing.php?as=AS39572

103.224.212.210

AS 133618 ( Trellian Pty. Limited )

https://www.malwareurl.com/ns_listing.php?as=AS133618

15.197.172.60

AS 16509 ( AMAZON-02 )

https://www.malwareurl.com/ns_listing.php?as=AS16509

185.196.197.71

AS 39572 ( DataWeb Global Group B.V. )

https://www.malwareurl.com/ns_listing.php?as=AS39572

34.205.242.146

AS 14618 ( AMAZON-AES )

https://www.malwareurl.com/ns_listing.php?as=AS14618

67.227.226.240

AS 32244 ( LIQUIDWEB )

https://www.malwareurl.com/ns_listing.php?as=AS32244



Code Analysis

One of the malicious javascript being prominently used in this campaign is a file called “invoke.js”. The script is heavily obfuscated. 

Obfuscated contents of invoke.js

Upon deobfuscation we can see that in line 10 there exists a variable called ‘lieDetector’ which is assigned a value from various functions that fingerprint the user’s browser and the device.

Deobfuscated contents of invoke.js

Thereafter once the user is verified, based on the key the script can make an HTTP request to other domains in the same campaign, and in this manner the user goes through the redirect chain.

Deobfuscated contents of invoke.js

Mitigations

To protect yourself against the threat of malicious advertisements on legitimate sites, consider implementing the following mitigation strategies:

  • Ad Blockers: Install reputable ad-blocking browser extensions or software to filter out potentially harmful advertisements. These tools can prevent malicious content from loading, reducing the risk of inadvertently clicking on a compromised ad.
  • Keep Software Updated: Regularly update your operating system, web browsers, and security software. Software updates often include patches for vulnerabilities that threat actors may exploit to deliver malware through advertisements.
  • Use a Security Suite: Employ a comprehensive security suite that includes features such as anti-malware, anti-phishing, and real-time threat detection. This can add an extra layer of defense against malicious advertisements.
  • Browser Security Settings: Adjust your browser's security settings to their highest level. Configure settings to block pop-ups, disable automatic downloads, and enable browser-based security features that can help identify and block malicious content.
  • Exercise Caution and Verification: Be skeptical of ads that seem too good to be true or employ sensationalist language. Avoid clicking on suspicious advertisements, and hover over links to preview the destination URL before clicking to verify its legitimacy.
  • Educate Yourself: Stay informed about common online threats and tactics used by cybercriminals. Being aware of potential risks can empower you to recognize and avoid engaging with malicious advertisements.
  • Enable Click-to-Play Plugins: Configure your browser to require permission before running plugins like Flash or Java. This way, potentially harmful content won't execute without your explicit consent.
  • Use a Virtual Private Network (VPN): Employing a VPN can help mask your online activities and add an extra layer of privacy and security, reducing the risk of targeted malicious advertisements.
  • Regular Backups: Regularly backup your important files to an external drive or secure cloud service. In the event of a malware infection, having up-to-date backups ensures that you can restore your system without losing critical data.
  • Monitor Account Activity: Regularly review your financial and online accounts for any suspicious activity. Malicious ads may attempt to trick users into providing sensitive information, so staying vigilant is crucial for early detection and response.

References

#Traffic Light Protocol - Wikipedia

Author

Vikas Kundu

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Adversary Intelligence
July 22, 2024

Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian Customers

In Indonesia, scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes. These scams deceive users into sharing their account details, leading to significant financial losses. Discover the full details and protective measures in CloudSEK's comprehensive blog report.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

8

min read

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Authors
Vikas Kundu
Co-Authors
Vikas Kundu

Executive Summary

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them. To bypass detection mechanisms developed by these websites to uncover malicious domains, threat actors utilize a technique called a “Redirect Chain” wherein the malicious domain is served in the last redirect instead of embedding it in the popup ad banner. Although the technique is simple, the sheer scale of it is alarming as the threat actors have managed to utilize a massive network of 9,000+ domains to do the same. 

To shield against malicious advertisements on legitimate sites, install ad blockers and maintain updated software. Employ a comprehensive security suite, adjust browser settings, and be cautious of suspicious ads, verifying URLs before clicking. Stay informed about online threats, use click-to-play plugins, and consider a VPN for added privacy. 

Modus Operandi

Abusing Advertisement Services

The utilization of advertisements as a conduit for malware delivery has proven to be an exceedingly lucrative strategy for threat actors. The inherent nature of online ads, which are pervasive across the internet, offers an expansive and unsuspecting user base as potential victims. Malicious actors exploit the trust users place in legitimate advertising platforms, capitalizing on the vast reach and frequency of ad displays to maximize their impact. By compromising ad networks or embedding malicious code within seemingly harmless ads, threat actors can deliver malware, ranging from trojans to ransomware, directly to users' devices. This approach provides a cost-effective means for attackers to deploy their malicious payloads without the need for elaborate distribution mechanisms. Either the threat actors create accounts on these advertisement platforms using forged documents. Or in some cases, source the credentials for accounts on various advertisement websites from infostealer malware. 

The whole ecosystem feeds on itself and it is a complete cycle as the same sourced accounts are used to deliver info stealer malware and compromise more users.

Some of the popular advertisement services being abused by the threat actors are:

  • Adsterra
  • Rich Ads
  • Juicy Ads

Threat actors discussing using advertisement services to deliver malware on a dark web forum

Most advertisement services allow injecting domains along with the advertisement being shown which once clicked will redirect the user to that particular domain. However, injecting malicious domains into these ad banners can get the accounts being used by the threat actors blacklisted by advertisement platforms. Because most of them have mechanisms to stop malicious domains from being injected into the ad banners. To evade this, threat actors use a technique called a “Redirect Chain”.

The Redirect Chain

Once a user clicks on any of the advertisements being run by the threat actors they are taken to a domain that does not serve any kind of malware but merely redirects the user to the next domain. This is the first link in the chain and we may call it the “Fingerprinting Domain”.

The Fingerprinting Domain

This first domain runs scripts on the user’s browser and detects a variety of things such as whether the browser is running in an emulator, user device, region, etc. Based on this data and the type of ad banner clicked by the user it creates a unique profile for each user and assigns a parameter called ‘key’. This is unique for each user and this parameter is sent along with the get request to the next domain called the “Matcher Domain”.

The Matcher Domain

The “Matcher Domain” receives some parameters from the “Fingerprinting Domain” and based on that it decides which website to finally serve to the user. In the backend, it makes this decision based on factors such as the geolocation of the user, the preference of the user in clicking ads, etc. For instance, if someone clicks on a finance-related ad they are more likely to be redirected to crypto-related scam domains.  The domain even detects if the request is being made via VPN or a Tor and then serves the user a fixed domain or redirects them to Google.

Matcher Domain detecting VPN being used by a user

Final Domain

This is generally the malicious domain that either asks the users to download a particular software or to register on a betting website, or to enable notifications so that constant ads can be pushed by the user to the desktop. This domain is the last in the chain as 

A malicious final domain asking the user to enable notifications

A sample redirect chain in action can be seen here:  https://drive.google.com/file/d/1yeLJotDlZJviHKg-T_Gd06DSt5vEl8sk/view?usp=sharing

A high-level overview of the redirect chain

Infrastructure

What is alarming about this method used by the threat actors it the sheer scale of their infrastructure. We were able to identify 10 IP addresses, on each of which 9000+ domains have been pointed in the past 30 days! However since the IPs are being rotated, the unique count is 9442 domains. In order to obtain such a large number of domain names, the threat actors either use some sort of automation or source hacked websites that are already offered on sale in bulk on various dark web forums.

IP

ASN

173.233.137.36

AS 7979 ( SERVERS-COM )

173.233.137.44

AS 7979 ( SERVERS-COM )

173.233.137.52

AS 7979 ( SERVERS-COM )

173.233.137.60

AS 7979 ( SERVERS-COM )

173.233.139.164

AS 7979 ( SERVERS-COM )

192.243.59.12

AS 39572 ( DataWeb Global Group B.V. )

192.243.59.13

AS 39572 ( DataWeb Global Group B.V. )

192.243.59.20

AS 39572 ( DataWeb Global Group B.V. )

192.243.61.225

AS 39572 ( DataWeb Global Group B.V. )

192.243.61.227

AS 39572 ( DataWeb Global Group B.V. )



Certain Autonomous System Numbers (ASNs) have gained notoriety for their association with phishing and malware-related activities. This reputation often stems from a variety of factors such as:

  • One common issue is the presence of lax security measures within these ASNs, making them attractive targets for cybercriminals who exploit vulnerabilities and host malicious content. Additionally, some ASNs allow users to register services anonymously, providing a conducive environment for malicious actors to operate without easy identification. 
  • The concept of "bulletproof hosting" is prevalent, where specific ASNs or hosting providers intentionally overlook illegal activities, enabling the hosting of phishing sites and the distribution of malware. 
  • Compromised networks, whether due to inadequate security or compromised credentials, can unknowingly facilitate these malicious activities. 
  • Another contributing factor is the failure of some ASNs to promptly respond to abuse reports or take sufficient action against illicit activities on their networks. Rapid changes in ASN ownership or management may signal instability, creating an environment where phishing and malware attacks can thrive. 

Some of the ASNs that we were able to identify associated with the campaign and have been reported for phishing, malware, etc. are as follows::

IP

ASN

Report

173.233.137.36

AS 7979 ( SERVERS-COM )

https://www.malwareurl.com/ns_listing.php?as=AS7979

192.243.59.12

AS 39572 ( DataWeb Global Group B.V. )

https://www.malwareurl.com/ns_listing.php?as=AS39572

103.224.212.210

AS 133618 ( Trellian Pty. Limited )

https://www.malwareurl.com/ns_listing.php?as=AS133618

15.197.172.60

AS 16509 ( AMAZON-02 )

https://www.malwareurl.com/ns_listing.php?as=AS16509

185.196.197.71

AS 39572 ( DataWeb Global Group B.V. )

https://www.malwareurl.com/ns_listing.php?as=AS39572

34.205.242.146

AS 14618 ( AMAZON-AES )

https://www.malwareurl.com/ns_listing.php?as=AS14618

67.227.226.240

AS 32244 ( LIQUIDWEB )

https://www.malwareurl.com/ns_listing.php?as=AS32244



Code Analysis

One of the malicious javascript being prominently used in this campaign is a file called “invoke.js”. The script is heavily obfuscated. 

Obfuscated contents of invoke.js

Upon deobfuscation we can see that in line 10 there exists a variable called ‘lieDetector’ which is assigned a value from various functions that fingerprint the user’s browser and the device.

Deobfuscated contents of invoke.js

Thereafter once the user is verified, based on the key the script can make an HTTP request to other domains in the same campaign, and in this manner the user goes through the redirect chain.

Deobfuscated contents of invoke.js

Mitigations

To protect yourself against the threat of malicious advertisements on legitimate sites, consider implementing the following mitigation strategies:

  • Ad Blockers: Install reputable ad-blocking browser extensions or software to filter out potentially harmful advertisements. These tools can prevent malicious content from loading, reducing the risk of inadvertently clicking on a compromised ad.
  • Keep Software Updated: Regularly update your operating system, web browsers, and security software. Software updates often include patches for vulnerabilities that threat actors may exploit to deliver malware through advertisements.
  • Use a Security Suite: Employ a comprehensive security suite that includes features such as anti-malware, anti-phishing, and real-time threat detection. This can add an extra layer of defense against malicious advertisements.
  • Browser Security Settings: Adjust your browser's security settings to their highest level. Configure settings to block pop-ups, disable automatic downloads, and enable browser-based security features that can help identify and block malicious content.
  • Exercise Caution and Verification: Be skeptical of ads that seem too good to be true or employ sensationalist language. Avoid clicking on suspicious advertisements, and hover over links to preview the destination URL before clicking to verify its legitimacy.
  • Educate Yourself: Stay informed about common online threats and tactics used by cybercriminals. Being aware of potential risks can empower you to recognize and avoid engaging with malicious advertisements.
  • Enable Click-to-Play Plugins: Configure your browser to require permission before running plugins like Flash or Java. This way, potentially harmful content won't execute without your explicit consent.
  • Use a Virtual Private Network (VPN): Employing a VPN can help mask your online activities and add an extra layer of privacy and security, reducing the risk of targeted malicious advertisements.
  • Regular Backups: Regularly backup your important files to an external drive or secure cloud service. In the event of a malware infection, having up-to-date backups ensures that you can restore your system without losing critical data.
  • Monitor Account Activity: Regularly review your financial and online accounts for any suspicious activity. Malicious ads may attempt to trick users into providing sensitive information, so staying vigilant is crucial for early detection and response.

References

#Traffic Light Protocol - Wikipedia