RoughTed é uma campanha de publicidade maliciosa de grande escala que viu um pico em março deste ano, mas tem sido ativo por pelo menos mais de um ano. Ambos os sistemas operacionais Windows e Mac são direcionados, bem como iOS e Android. The operation is quite rare in its comprehensiveness, ter usado uma variedade de abordagens maliciosos de explorar kits para scams online, como golpes de apoio falso tecnologia, atualizações falsas, extensões do navegador desonestos, e assim por diante.
RoughTed has also been detected using geolocation to deliver relevant payloads to the exact victims. One of the recently deployed payloads is the infamous Cerber ransomware.
RoughTed Malvertising Campaign in Detail
Jérôme Segura, researcher at Malwarebytes, estimated that the traffic sent via domains related to RoughTed accumulated more than half a billion hits. This traffic also led to many successful infections and this is no surprise as it was combined with highly effective methods that lure users and bypass ad-blockers.
Whoever is behind the malvertising campaign has also been leveraging the Amazon cloud infrastructure, especially its Content Delivery Network. This however is only a small part of the puzzle where ad redirections from various ad exchanges are mixed in to make deciphering the operation quite challenging.
Several factors in this operation stand out. Researchers were able to determine that the traffic comes from thousands of publishers, and some of them were even ranked in Alexa’s top 500 sites. Another fact that is worth mentioning is that the associated domains accumulated more than half a billion visits only in the past 3 meses.
Fingerprinting and tricks bypassing ad-blockers were also included in the malvertising campaigns. The worst, Contudo, is that RoughTed has helped deliver a number of malicious payloads on various platforms ranging from online scams to malware and ransomware.
Researchers observed RoughTed campaigns closely and noticed the roughted[.]com referrer, which was redirecting to the RIG exploit kit. While they were mining their data set, they started seeing that pattern for more than a hundred other domains.
Most of these domains were created via the EvoPlus registrar in small batches with a new .ru or .ua email address. Another similarity that these domains share is that they are being deployed as a mean to bypass ad-blockers.
Most of the traffic for the campaign comes from streaming video or file sharing sites in combination with URL shorteners which is a typical thing for malvertising.
Como foi referido anteriormente, many of the domains are ranked on Alexa’s top 1000. Visitors to these websites are targeted with ads some of which originate from RoughTed.
Sucure researchers, por outro lado, made another curious observation regarding the involvement of ‘personal’ websites in the malvertising campaign. Pelo visto, webmasters knowingly integrated an ad code script from advertising company Ad-Maven into their pages to monetize their website.
Mac Machines Also Targeted
Mac owners should also be aware of this malvertising campaign. A fake Flash Player update has been detected targeting Mac users, masqueraded as a file that comes from Apple. It’s needless to say but users should be extra cautious with updates that are “served” this way. Infelizmente, cybercriminals are very good at creating tricky pages and may as well use scareware tactics to improve the chance of a successful compromise.
The Windows operating system, por outro lado, has been targeted with fake updates for Java and Flash, and also with fake codecs. Pages tricking users into installing such fake updates are mixed with adware.
Chrome Targeted with Rogue Browser Extensions
Even though Chrome is often referred to as one of the safest browsers, it has fallen victim to the RoughTed campaign. Users may even be forced to download malicious Chrome extensions. The pop-up leading to the download may contain a text like “Add extension to leave” or something of the sort.
além do que, além do mais, both iOS and Android appear to be targeted by the campaign.
Em poucas palavras, researchers say that it’s really troublesome, the fact that ad-supported content is deployed to distribute scams or malware. What is worse is that even users with ad-blockers are not spared and fall victims to the campaign. Who is responsible? Is it the ad networks or is it the publishers that deliberately expose users to malicious code in the interest of ad revenue.