RoughTed is a large-scale malvertising campaign which saw a peak in March this year but has been active for at least over a year. Both Windows and Mac operating systems are targeted, as well as iOS and Android. The operation is quite rare in its comprehensiveness, having used a variety of malicious approaches from exploit kits to online scams such as fake tech support scams, fake updates, rogue browser extensions, and so on.
RoughTed has also been detected using geolocation to deliver relevant payloads to the exact victims. One of the recently deployed payloads is the infamous Cerber ransomware.
RoughTed Malvertising Campaign in Detail
Jérôme Segura, researcher at Malwarebytes, estimated that the traffic sent via domains related to RoughTed accumulated more than half a billion hits. This traffic also led to many successful infections and this is no surprise as it was combined with highly effective methods that lure users and bypass ad-blockers.
Whoever is behind the malvertising campaign has also been leveraging the Amazon cloud infrastructure, especially its Content Delivery Network. This however is only a small part of the puzzle where ad redirections from various ad exchanges are mixed in to make deciphering the operation quite challenging.
Several factors in this operation stand out. Researchers were able to determine that the traffic comes from thousands of publishers, and some of them were even ranked in Alexa’s top 500 websites. Another fact that is worth mentioning is that the associated domains accumulated more than half a billion visits only in the past 3 months.
Fingerprinting and tricks bypassing ad-blockers were also included in the malvertising campaigns. The worst, however, is that RoughTed has helped deliver a number of malicious payloads on various platforms ranging from online scams to malware and ransomware.
Researchers observed RoughTed campaigns closely and noticed the roughted[.]com referrer, which was redirecting to the RIG exploit kit. While they were mining their data set, they started seeing that pattern for more than a hundred other domains.
Most of these domains were created via the EvoPlus registrar in small batches with a new .ru or .ua email address. Another similarity that these domains share is that they are being deployed as a mean to bypass ad-blockers.
Most of the traffic for the campaign comes from streaming video or file sharing sites in combination with URL shorteners which is a typical thing for malvertising.
As previously stated, many of the domains are ranked on Alexa’s top 1000. Visitors to these websites are targeted with ads some of which originate from RoughTed.
Sucure researchers, on the other hand, made another curious observation regarding the involvement of ‘personal’ websites in the malvertising campaign. Apparently, webmasters knowingly integrated an ad code script from advertising company Ad-Maven into their pages to monetize their website.
Mac Machines Also Targeted
Mac owners should also be aware of this malvertising campaign. A fake Flash Player update has been detected targeting Mac users, masqueraded as a file that comes from Apple. It’s needless to say but users should be extra cautious with updates that are “served” this way. Unfortunately, cybercriminals are very good at creating tricky pages and may as well use scareware tactics to improve the chance of a successful compromise.
The Windows operating system, on the other hand, has been targeted with fake updates for Java and Flash, and also with fake codecs. Pages tricking users into installing such fake updates are mixed with adware.
Chrome Targeted with Rogue Browser Extensions
Even though Chrome is often referred to as one of the safest browsers, it has fallen victim to the RoughTed campaign. Users may even be forced to download malicious Chrome extensions. The pop-up leading to the download may contain a text like “Add extension to leave” or something of the sort.
In addition, both iOS and Android appear to be targeted by the campaign.
In a nutshell, researchers say that it’s really troublesome, the fact that ad-supported content is deployed to distribute scams or malware. What is worse is that even users with ad-blockers are not spared and fall victims to the campaign. Who is responsible? Is it the ad networks or is it the publishers that deliberately expose users to malicious code in the interest of ad revenue.