Ad blockers, our last hope against the onslaught of malvertising campaigns, appear to have fallen, as today, Malwarebytes published new research detailing a malvertising campaign that successfully bypasses ad blockers to deliver their malicious payload.

This malvertising campaign is named RoughTed based on the initial malicious domain at which it was found back in March 2017, but Jérôme Segura, the Malwarebytes security researcher who came across it, says there are clues to show that RoughTed has been active for over a year.

The campaign is very complex and well designed (from a crook's standpoint), as it leverages multiple tricks of the trade, most of which have allowed it to grow undetected in the shadows for so much time.

The word that describes RoughTed the best is "diversity." The operators of this malvertising campaign not only feature traffic from different types of sources, but also include different user fingerprinting techniques, and very different malicious payloads.

Adf.ly, ExtraTorrent, Openloud delivered malicious ads

Traffic to this malvertising campaign comes from ads displayed on thousands of sites. Some of these are small, personal sites, while others are in the Alexa Top 500. Malwarebytes says it detected RoughTed-tainted ads on sites such as Adf.ly, ExtraTorrent (now defunct), Openloud, and Ouo.io, just to name a few of the bigger ones.

According to Segura, RoughTed domains accumulated over half a billion visits in the past three months since the researcher started tracking the campaign.

Cooperating with Sucuri, Segura says they also identified malicious ads inserted into the source code of smaller sites. If the malicious ad code was placed there by the site owner or after the site was hacked is unknown.

RoughTed uses aggressive fingerprinting

The malicious code present in these rogue ads will load various scripts in the browser's background, which redirect the user through tens of URLs where various checks are performed.

"[T]here is some aggressive fingerprinting which I think most ad networks wouldn't do because it's very privacy invasive," Segura told Bleeping Computer in a private conversation today, describing RoughTed's scripts.

These include checks for browser type, operating system, language settings, and geolocation information. Segura says some of these scripts have been specifically designed to detect when users are faking their user-agent.

These scripts range from using the now standard HTML5 canvas-based fingerprinting technique to a newer trick of checking for a list of installed fonts — which are different based on OS.

RoughTed bypasses ad blockers

Nonetheless, the most eye-catching script is the one that detects if the user is using an ad blocker extension and finding a way to bypass this system.

Users of several ad blockers such as Adblock Plus, uBlock origin, or AdGuard, have been recently complaining about advertisements that break through their ad blockers.

Segura attributes this to RoughTed, but other malvertisers are also using ad blocker evasion techniques.

"[O]thers are using similar code as well, but RoughTed is on a much larger scale," the Malwarebytes expert told Bleeping Computer.

Based on Segura's statement we can say that while maintainers of ad-blocker technologies were busy fighting off advertisers and online publishers, malvertisers have crept up behind their backs and outsmarted some of their ad-blocking filters, at least for the time being.

As a closing note, showing that RoughTed is not your run-of-the-mill malvertising campaign, its operators weren't fixated on delivering only a particular type of payload to their victims. According to Segura, RoughTed has sent unwitting users to:

➠ different exploits kits (RIG EG, Magnitude)

➠ tech support scam pages

➠ download pages for Mac adware

➠ download pages for Windows PUPs

➠ rogue Chrome extensions

➠ iTues and App Store pages - part of pay-per-install schemes

➠ annoying online surveys

IOCs and other details about the campaign are available in Malwarebytes' RoughTed report.