Hyas Blog | Defeating Malvertising-Based Phishing Attacks
Malvertising Enters a New Age
While Google grapples with the potential threat that ChatGPT poses to its advertising business, cybercriminals are taking advantage of Google Ads to ramp up their phishing attacks on unsuspecting victims. To pull off these scams, phishers purchase ads that appear to represent well-known companies, brands, and software. By purchasing ads, these links appear as the top result of a Google search when a user’s query is relevant to the misleading content of the ad. This practice is commonly known as “malvertising.”
To be fair, the cybersecurity community has made ongoing efforts to mitigate the phishing threat by instructing users how to avoid them by following some basic rules, such as manually typing in the URL of a company's website rather than simply clicking the first link that appears after performing a search with Google. It may seem rudimentary, but this has become a serious issue as more and more people default to just typing a name into their browser's address bar and clicking the first thing that comes up. When people use their browsers in this way, depending on their level of sophistication, they may not understand that they are actually performing a search — and Google is set as the default search engine for many browsers.
Google is aware that their "Sponsored Links" are often purchased by malicious actors, so it does perform scans of sponsored links to determine if they are malicious. However, threat actors have been able to get around this by setting up a benign site on the sponsored link. Only when a user that clicked on the sponsored link arrives at the benign site, will they be redirected to the actual malicious site, evading Google’s detection.
Alongside Google’s crackdown attempts, the cybersecurity community has undertaken the task of identifying these malicious sponsored links, documenting them, and reporting them to Google in the hopes that it removes them. Some developers have even created tools that scan sponsored links to determine if they are malicious. You can find the tools here:
Advanced Malvertising Techniques
So far, community members have already reported over 500 malicious ads to Google, but one particularly dangerous example named "MalVirt" caught our attention.
MalVirt loaders use multiple techniques to evade detection by antivirus software, endpoint detection and response (EDR) software, and other common security tools. One particularly novel variation employs KoiVM virtualization — which allows it to obfuscate the code and defeat static analysis, thus making manual malware analysis challenging and time consuming. It also uses more common techniques, such as detecting if it is running in a virtualized environment or loading a signed driver that can modify running processes.
While it is possible to write signatures for malware of this type after analysis is completed, it takes time — time during which the malware is able to evade even the most advanced EDRs while it goes about its business.
MalVirt also tries to fool network monitoring tools like network detection and response (NDR) tools by disguising its real C2 traffic. It generates encrypted traffic to multiple domains hosted on different IP addresses through different hosting companies. Out of those domains, only one is the real C2 domain. The others are benign, decoy domains. This makes it hard for network traffic monitoring tools to determine which traffic is bad, if any. Even if network traffic monitoring tools report all these domains as suspicious for falling outside of the baseline, it can take a long time for an analyst to actually weed through the false positives.
Addressing the Problem
This scenario highlights the importance of taking a defense-in-depth approach to cybersecurity. Your firewall had no problems letting the requested HTTPS traffic through. Your Secure Web Gateway didn’t have any signatures for the file and automated analysis showed nothing wrong, so it happily served the file to the client. Your EDR client also couldn’t find anything malicious, so it allowed the malware to run. Even your NDR saw the traffic coming from the client, but didn’t see anything obviously malicious and allowed it — even if it did manage to flag a number of domains for review.
So what is the missing layer of defense in this real-world scenario? Next-gen protective DNS. HYAS Protect would have blocked this attack at three different stages:
-
When the user clicks the sponsored link to go to the benign site
-
When the benign site detects it’s an actual user that clicked the add, and redirects the user to the site that hosts the actual malware
-
When the malware communicates with the C2 domain
The common thread between these stages is that they all involve communication to threat actor infrastructure.
HYAS doesn’t simply look at whether a domain is actively malicious and known or has been used maliciously in the past. We actively map threat actor infrastructure to discover unidentified infrastructure that has not been used before or has not yet been used maliciously. Since there is never a good reason for a regular user to communicate with threat actor domains, HYAS Protect uses HYAS extensive and unrivaled knowledge about threat actor infrastructure to block all communications to said infrastructure, even if they are previously unknown domains. With this proactive measure in place, you can avoid malvertising attacks without relying solely on changing the behavior of your users.