Confiant Threat Intelligence Team • 4 minute read
Researcher: Gregory Newman (Lead Security Engineer, Threat Intelligence)
Updated: 25 Sep, 2024. Title of article was changed and minor copy edits were made to reflect publication of full report.
Executive Summary
MutantBedrog is a new malvertising threat actor targeting ad tech, exploiting several well-known brands in its creatives. Utilizing a range of sophisticated and adaptive techniques, MutantBedrog continuously evolves to evade detection. A comprehensive investigation by the Confiant Threat Intelligence team, under the leadership of security engineer Gregory Newman, uncovered the threat’s evolving tactics and identified the domains that need to be blocked to safeguard yourself and your users from this dangerous new threat actor. Read the full technical report.
Description
In early July, the Confiant security team detected a new and novel threat leveraging forceful redirects and abusing well-known brands. This threat uses sophisticated client-side fingerprinting techniques to evade detection and hinder discovery of the landing page, and the code changes frequently, hence the name MutantBalrog Bedrog.
Due to the nature of its constant evolution, and the fact that their final landing pages lead users to a scam - a scam at first only targeting a small number of European countries including the Netherlands - we have dubbed this threat MutantBedrog. Bedrog (pronounced beh-DROKH) is Dutch for "scam", "deception", or "fraud". It also sounds like Balrog, which is fitting as this Threat Actor uses extensive means to keep anyone that is not their intended victim far from seeing what's really going on. We have observed several distinct major changes to the payload over the following weeks, sometimes as frequently as every two days, and including, for a short time, hiding their malicious payload in the ad creative itself using steganography!
The creatives were first observed coming from and communicating with the domain carteads[.]com. On the 25th of July, the domain was changed to ab2t[.]com, which they continue to use as of the date of this blog. In addition, we have observed other domains associated with the final landing page. In the case that the potential victim does not pass all fingerprinting checks, the ad creative link functions as normal. MutantBedrog affects numerous SSPs and DSPs and abuses several well-known brands in its creatives.
IOCs
The following domains are the primary domains used by MutantBedrog to serve its malicious payloads and other assets. The full analysis contains a full list of domains, IPs, creatives, and known payload hashes. For now, blocking these domains will offer protection from the forceful redirects used by MutantBedrog.
| Domain | Date Registered | Registrar |
|---|---|---|
| ad[.]carteads[.]com | 2024-05-16 | CloudFlare, Inc. |
| ab2t[.]com | 2024-07-25 | NameCheap, Inc. |
TTPs
MutantBedrog uses a wealth of different Tactics, Techniques, and Procedures to protect itself from the prying eyes of security researchers and security products alike.
| Confiant Matrix ID | Description |
|---|---|
|
[C101] |
Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs). |
|
[C203] |
DOM modification is the act of manipulating the DOM in an ad or on a website as part of the malware execution. |
|
[C204] |
Forceful redirects are the technique by which malvertisers redirect victims to a malicious landing page through no action of their own. |
|
[C307] |
Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs). |
|
[C601] |
WebGL APIs are heavily leveraged for device fingerprinting, because a device's graphics cards and their performance are highly variable and produce outputs that are in an entropy sweet spot. |
|
[C602] |
User-Agent Fingerprinting is a client-side check by which adversaries determine Browser types and versions they might potentially be attacking. |
|
[C603] |
GeoIP is commonly used as a server-side check consisting of determining the geographical location of a potential target based on the IP address. |
|
[C606] |
OS Fingerprinting is a check used to accurately determine the Operating system and its version of a target user. |
|
[C607] |
HTTP Fingerprinting is a server side technique which consist of checking the HTTP protocol headers. |
|
[C612] |
Browser Objects are any objects that are native to a browser's implementation of JavaScript and/or the many APIs available to browsers. |
|
[C615] |
The Browser Identification through Plugin Detection technique is employed by attackers to determine the type of browser a user is running based on the identified plugins. By leveraging the plugin's API, malicious websites can extract version information of installed plugins on the victim's system. |
|
[C701] |
Code Obfuscation applies to a broad category of techniques and tactics that are employed by attackers in order to make their code hard to read by human analysts. |
|
[C703] |
Anti-Devtools techniques are employed by attackers in order to disrupt the debugging process of the malicious code when browser dev tools are detected. |
|
[C704] |
String Concatenation is an obfuscation technique where strings are split into small chunks and added together so that the original strings will be difficult to search for during static analysis. |
|
[C705] |
The Document Object Model (DOM) is a standard convention for accessing and manipulating elements within HTML and XML documents. |
|
[C707] |
Reputable Ad Servers encompass any ad serving platforms whose ad serving domains are "household names" in the Ad Tech industry. |
|
[C708] |
Steganography is the practice of concealing data inside files - typically images or binaries. |
|
[C715] |
Malvertising security vendors typically have a client-side component for blocking malvertisements. |
|
[C717] |
The Automated Framework Detection Avoidance technique is employed by attackers to identify and differentiate victims using automated testing frameworks, such as Selenium, while attempting to avoid detection and analysis. Attackers achieve this by utilizing JavaScript-based fingerprinting code within malicious websites or applications. |
|
[C811] |
We generalize these landing pages as Free iPhone Scams, but they often include a multitude of other products or product giveaways including tablets, computers, and other electronics or highend items. |
|
[C904] |
Financial Loss encompasses any attack whose impact results in lost money from the victim targeted by malvertisers. |
The Confiant Malvertising Attack Matrix has also been updated with this information and will be continuously updated as their payload continues to evolve.
Read the full report
The full analysis of the evolution of MutantBedrog so far is now available! It includes campaign volume and information about affected SSPs and DSPs, targeted regions/languages, an analysis of each major version of the payload, detailed explanations about the TTPs in use, as well as all known IOCs, creatives, and landing pages.
Want to learn more?
Read our Senior Security Engineer Eliya Stein's blog on the technical curiosities of MutantBedrog's client-side redirect payload.
