Full Report
Cybersecurity researchers have shed light on a previously undocumented aspect associated with ClickFix-style attacks that hinge on taking advantage of a single ad network service as part of a malvertising-driven information stealer campaign dubbed DeceptionAds. "Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over
Analysis Summary
# Tool/Technique: DeceptionAds Campaign (Malvertising Infrastructure)
## Overview
The DeceptionAds campaign refers to a sophisticated malvertising operation that abuses a single ad network (Monetag) and ad-tracking services (BeMob) to distribute information stealers and other malware to victims who visit compromised or deceptive websites, often presented as fake CAPTCHA verification pages.
## Technical Details
- Type: Campaign Infrastructure / Technique (Malvertising, Social Engineering)
- Platform: Primarily targets end-users browsing compromised content sites. Infrastructure involves various web hosting services.
- Capabilities: High-volume delivery of malware via deceptive advertising redirects, leveraging reputation masking via ad trackers.
- First Seen: Recent activity documented in reports leading up to late 2024.
## MITRE ATT&CK Mapping
*Note: Since this describes a campaign infrastructure rather than a single tool, the mappings reflect the end-stage delivery and execution methods observed.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Delivered via ad impression leading to a malicious link)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
## Functionality
### Core Capabilities
- **Propagation via Ad Network:** Relies entirely on the Monetag ad network for delivering impressions globally (reporting over 1 million daily impressions).
- **Social Engineering Lure:** Directs victims (often from pirated content sites) to bogus CAPTCHA verification pages.
- **Payload Delivery Trigger:** Commands victims to copy and execute a Base64-encoded PowerShell command presented as necessary for "verification."
### Advanced Features
- **Reputation Cloaking:** Threat actors used the BeMob ad-tracking service to serve a benign URL to Monetag's management system, masking the identity of the final malicious CAPTCHA page and complicating content moderation.
- **Hosting Diversity:** The final malicious pages are hosted across diverse cloud platforms including Oracle Cloud, Scaleway, Bunny CDN, EXOScale, and Cloudflare R2.
- **Multi-Payload Targeting:** Capable of delivering various malware families based on the actor controlling the endpoint, including information stealers (Lumma), remote access trojans (RATs), and post-exploitation frameworks (Brute Ratel C4).
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context, but results in deployment of information stealers like Lumma]
- Registry Keys: [Not specified in context]
- Network Indicators:
- Ad Network Provider: Monetag (also tracked as Vane Viper/Omnatuor)
- Ad Tracking Service: BeMob
- Hosting Infrastructure: Oracle Cloud, Scaleway, Bunny CDN, EXOScale, Cloudflare R2 (specific domains/IPs not provided, but these platforms are used for hosting the final redirect).
- Behavioral Indicators: User being tricked into manually copying and executing a Base64-encoded PowerShell command from a browser prompt/page.
## Associated Threat Actors
- Multiple "unattributed" threat clusters have adopted this technique.
- The initial actors traced by Guardio Labs to the Monetag infrastructure.
## Detection Methods
- Signature-based detection: Can target known hashes of deployed malware (e.g., Lumma, Brute Ratel C4).
- Behavioral detection: Monitoring for the execution of long, Base64-decoded PowerShell commands initiated by non-standard processes or web context. Monitoring for the presence of BeMob tracking parameters in unusual redirect chains.
- YARA rules: [Not specified in context]
## Mitigation Strategies
- **Content Moderation & Validation:** Ad networks (like Monetag) must implement robust content moderation and stricter account validation to prevent malicious registrations by publishers.
- **User Education:** Educating users never to copy and execute commands presented in their web browser, especially for "verification" tasks.
- **Endpoint Protection:** Deploying EDR or anti-malware solutions capable of detecting PowerShell execution from obscure or unusual parent processes, especially those involving heavy encoding.
- **Network Filtering:** Blocking communication to known malicious domains associated with the final payload hosting, though the constant rotation across CDNs may complicate this.
## Related Tools/Techniques
- **Lumma:** Information stealer deployed as a secondary result.
- **Brute Ratel C4 (BRc4):** Post-exploitation framework observed being deployed.
- **BeMob:** Ad-tracking/TDS platform utilized for reputation cloaking.
- **Monetag:** Ad network exploited for high-volume propagation.