Threat actors are known to use several methods to lure victims into their websites and make them download their malicious payload, which will allow them to take full control of the system.
However, a recent report indicated that threat actors have been using a malvertising campaign for dropping info stealers and other malware that are probably used for initial compromise for ransomware operations.
Advanced IP Scanner – Malvertising campaign
Cleverly, threat actors have been utilizing Google ads and search engines to display their malware page to the victims. Though the domain seemed to be legitimate, it was created at the end of July 2023 and is found to be hosted in Russia at 185.11.61[.]65.
In addition, threat actors have deployed methods like network defenders which include checking the IP source for its legitimacy and previous logs of the IP address to analyze whether the IP has already visited the website.
This allows the threat actors to find whether there is a VPN or proxy involved. This server-side check is performed to allow only clean IPs to see the original contents.
The malicious website appears innocent before threat actors switch it to the malicious version. Diving deep into the website, an obfuscated JavaScript code was found which was base64 encoded. This script is loaded before anything on the website.
Deobfuscation
The code was deobfuscated, which revealed several functions that are performed by the JS code, which include,
Browser properties like Screen and window size
Time Zone details (Difference between UTC time and local time)
Video card driver information and
MIME type for MP4 file format.
When the server side confirms the IP is clean, it shows the original website that is shown to the victims, which has the option to download a malicious file.
Once this information is gathered from visitors, they are then sent to the attacker’s server through a POST request. Further passing the data will allow the threat actor to decide on what actions to take further.
Conflict with Other Advertising accounts
One of the major blockers for stopping these kinds of malware websites is that it is difficult to find and report these kinds of events.
The platform serving this malicious website needs to validate the information from the malicious website before taking any action against the account.
This is due to the fact that other legitimate advertiser accounts must not be affected. However, finding these kinds of websites takes several hours, within which the threat actors can lure tens of thousands of victims and make them download the malware.
A complete report has been published by Malwarebytes, which provides detailed information on this malware campaign.
Users including security professionals are recommended to take precautions before visiting and downloading any scanners from an unknown website as it could be a potential malware.