A malvertising group named VeryMal that targets Mac users has changed up its tactics, ditching steganography as its obfuscation technique. Instead, it’s using ad tags that fetch a payload from Google Firebase in order to redirect users to malicious pop-ups.
Confiant estimates that close to 1 million user sessions have been potentially been exposed to this malvertising campaign.
According to analysis from the firm this week, VeryMal has been using display-ad redirects to send unwitting web surfers to fake Flash updates. When someone clicks on a malicious ad on a website, a popup asking her to “update their Flash player” will appear. If she clicks yes, the payload is fetched and deployed—in this case, the Shlayer trojan. Shlayer leverages shell scripts to download additional malware or adware onto the infected system.
Confiant said that VeryMal’s campaigns have so far been widespread, Mac-focused and stealthy to date. They have also been incorporating steganography as an obfuscation technique to hide the redirection code. Steganography, the practice of hiding malicious code in image files, is becoming more prevalent given the rising sophistication of detection mechanisms – as Confiant points out, JavaScript obfuscators tend to leave artifacts: “a very particular type of gibberish that can easily be recognized by the naked eye,” the firm said.
While steganography remains an effective tactic for the bad guys, VeryMal has gone in a new direction of late, leveraging Google Firebase.
“True to their persistent nature, these forced redirect campaigns have not subsided, but the delivery mechanism continues to evolve in a new and clever direction,” Confiant researcher Eliya Stein said in a post on Tuesday. “Steganography is no longer part of the equation for the campaign that spawned the redirects…but rather a seemingly innocuous ad tag is to blame.”
Google’s Firebase engine is a cloud service for mobile app development. Part of its suite of features is Cloud Firestore, which allows coders to create serverless apps. Cloud Firestore allows users to “store and sync data between users and devices – at global scale – using a cloud-hosted, NoSQL database.”
The code that VeryMal is using in the new ad tags requests data from the attacker’s Firestore database and then executes it as JavaScript.
“A closer look at the payload returned from Firestore reveals what can be described as a more traditional looking malvertising payload with elements of fingerprinting and obfuscation,” Stein explained.
After first checking to see if it’s running in a desktop Safari environment, the code has a sub-condition that checks to see if “navigator.javaEnabled()” has been tampered with in the current environment. If all checks out, the payload will redirect the unsuspecting visitor to the Flash prompt. The notable aspect however is that the tag looks to most people and defense mechanisms like a normal, innocuous ad tag.
“Even though the act of loading this payload, the obfuscation and the fingerprinting is not exactly a technical feat — the significance of utilizing a technology like Firebase in this way helps to illustrate the demarcation of an emerging trend in the malvertising world,” Stein said. “The Firebase code looks very similar to typical vanilla ad tech. This is a great illustration of how in just a short amount of time the game has changed, and these days it’s all about subtle payload delivery.”
Google has suspended the abused Firebase accounts, but the technique is probably not going away, researchers said.
“One point that’s very clear from even a cursory analysis … is that this attacker is prepared to pivot at a moment’s notice,” Stein concluded. “There are subtle and (not so subtle) variations in their client-side malware that show active development around fingerprinting techniques, steganography, domain variation, and even anti-debugging traps and sinks. Things like this are specifically designed to thwart reverse engineering.”