A Hong Kong-based advertiser has mounted a snowballing campaign, compromising more than 100 million ads to date by forming relationships with legitimate ad platforms to gain access to premium audiences. From there, it often pushes malware onto victim machines.

The malvertiser, operating under the name “fiber ads,” redirects those who view its advertisements to a variety of nefarious schemes.

“Anything is possible – the best-case scenario is a gift card or cellphone giveaway scam, but there is plenty of evidence that suggests a network of landing pages that carry much higher risk [from malware], such as tech support scams or fake anti-virus downloads,” said Eliya Stein, a senior security engineer at Confiant, in a posting on Wednesday.

Inklings of the campaign surfaced earlier in the year, with reports of malvertisements showing up through Windows 10 desktop applications. French security researcher and blogger Malekal for instance flagged unusual activity in April:

There is a #malvertising on @Microsoft Services in France.

Users report Ads scam on Outlook, game, etc.

I will try to isolate it. pic.twitter.com/Z83xAaj9R4 — Malekal's site (@malekal_morte) April 23, 2019

Upon further examination, Stein said it became apparent that ads within applications weren’t the only conduit for the attacker.

“This application-based activity is likely just spillover from this bad actor’s already active and disruptive malvertising rampage,” Stein said. “This attacker has been seen on multiple platforms and exchanges,” targeting both desktop and mobile users, he added.

In analyzing the domains that are serving the ads, “in just 2019 so far, we have seen them churn through over 50 domains, all of which are registered at Namecheap,” Stein said. “Malvertising activity that fits this MO can be traced back to over 100 additional domains going all the way back to 2017. New ad serving domains from this malvertiser continue to surface on a weekly basis on varying platforms.”

The campaign volumes associated with the attribution model paint a picture of a very active and persistent malvertiser. Since January, there have been two peaks of 28 million and 14.5 million compromised ads respectively, with more than 100 million malicious ads served this year as of mid-June.

Payload Analysis

In many cases, malware is being proliferated through these campaigns, such as ReImageRepair, a known scam software.

“Most malware installers of this nature are designed to siphon as much revenue as possible from a compromised machine,” Stein explained. “Usually this takes place in the form of a software that orchestrates further ad fraud or targets the victim directly – or both.”

In the case of ReImage Repair, it doesn’t take any direct malicious action on the infected host, but rather looks to scare victims into coughing up money.

After the installer is run and installs ReImageRepair.exe, ReImageRepair will start “scanning” the system, Stein said. When the scan finishes, it asks the user for a license key to start “repair” of the computer. If the victim provides payment, a version of the legitimate Avira antivirus is installed on the machine.

The malvertiser’s campaigns are delivering numerous variations on this theme, including fake “Mac cleaning” apps spreading the Mughthesec macOS malware.

Manipulating the Advertising Supply Chain

Notably, the fiber ads adversary (and related entities) is acting as a middle man to broker ad-placement deals on behalf of multiple clients.

Demand-side platforms (DSPs) offer ad inventory that’s been put up for sale by app developers or website owners. Buying ad placements in real time through DSPs gives advertisers the ability to target their desired audiences as they are actually browsing websites. The entire process is automated and allows user to roll out ad campaigns at scale across multiple platforms, including mobile, desktop and even gadgets like smart TVs.

In the case of fiber ads, it partners with legitimate DSPs to buy access to marketing inventory on behalf of those clients who are often sourced on “grey-web” sites frequented by click-fraudsters and the like, according to Stein. These clients are merely looking for traffic/ad impressions rather than conversions to actual product purchases or other traditional marketing outcomes — so the redirects are a non-issue as long as an ad impression is captured.

“At the time that this attacker first started getting some notice from researchers and the media, the entry point for them was often…the ad-serving domain for Platform161,” Stein said. Platform161, a legitimate DSP, quickly blocked the malvertiser once notified of the activity.

So, fiber ads can make money as a middle man earning a brokerage fee for procuring traffic for these clients, while also reaping the benefits of successful scams and malware infections that stem from redirecting those clients’ ads to malicious sites. They can also sell the scams and malware infections themselves.

“The middle men provide the delivery mechanism, but from there the trail can get murky very quickly as the ultimate payload probably goes to the highest bidder, or to whomever the malvertiser is partnered with at that particular moment,” Stein said. “We would like to suggest that ad tech [DSP] platforms take extra care to vet their advertisers — and if something smells a bit fishy, like a buyer incorporated in a dodgy jurisdiction, it might be prudent to bypass that business opportunity altogether.”

Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More