Team Confiant

 •  4 minute read

Caught by Confiant: MutantBedrog and its adaptive malvertising maneuvers

Researcher: Gregory Newman (Lead Security Engineer, Threat Intelligence)

Updated: 25 Sep, 2024. Title of article was changed and minor copy edits were made to reflect publication of full report.

Executive Summary

MutantBedrog is a new malvertising threat actor targeting ad tech, exploiting several well-known brands in its creatives. Utilizing a range of sophisticated and adaptive techniques, MutantBedrog continuously evolves to evade detection. A comprehensive investigation by the Confiant Threat Intelligence team, under the leadership of security engineer Gregory Newman, uncovered the threat’s evolving tactics and identified the domains that need to be blocked to safeguard yourself and your users from this dangerous new threat actor. Read the full technical report.

Description

In early July, the Confiant security team detected a new and novel threat leveraging forceful redirects and abusing well-known brands. This threat uses sophisticated client-side fingerprinting techniques to evade detection and hinder discovery of the landing page, and the code changes frequently, hence the name MutantBalrog Bedrog.

MutantBedrog taking notes from Gandalf the White
MutantBedrog is heavily protected against analysis and detection

Due to the nature of its constant evolution, and the fact that their final landing pages lead users to a scam - a scam at first only targeting a small number of European countries including the Netherlands - we have dubbed this threat MutantBedrog. Bedrog (pronounced beh-DROKH) is Dutch for "scam", "deception", or "fraud". It also sounds like Balrog, which is fitting as this Threat Actor uses extensive means to keep anyone that is not their intended victim far from seeing what's really going on. We have observed several distinct major changes to the payload over the following weeks, sometimes as frequently as every two days, and including, for a short time, hiding their malicious payload in the ad creative itself using steganography!

The creatives were first observed coming from and communicating with the domain carteads[.]com. On the 25th of July, the domain was changed to ab2t[.]com, which they continue to use as of the date of this blog. In addition, we have observed other domains associated with the final landing page. In the case that the potential victim does not pass all fingerprinting checks, the ad creative link functions as normal. MutantBedrog affects numerous SSPs and DSPs and abuses several well-known brands in its creatives.

Example creatives abusing the shoe brand Merrell in French and Portuguese
Example creatives abusing the shoe brand Merrell in French and Portuguese

IOCs

The following domains are the primary domains used by MutantBedrog to serve its malicious payloads and other assets. The full analysis contains a full list of domains, IPs, creatives, and known payload hashes. For now, blocking these domains will offer protection from the forceful redirects used by MutantBedrog.

Domain Date Registered Registrar
ad[.]carteads[.]com 2024-05-16 CloudFlare, Inc.
ab2t[.]com 2024-07-25 NameCheap, Inc.

TTPs

MutantBedrog uses a wealth of different Tactics, Techniques, and Procedures to protect itself from the prying eyes of security researchers and security products alike.

Confiant Matrix ID Description

[C101]
Fake Advertising Agency

Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs).

More information

[C203]
HTML DOM Modification

DOM modification is the act of manipulating the DOM in an ad or on a website as part of the malware execution.

More information

[C204]
Forceful Redirects

Forceful redirects are the technique by which malvertisers redirect victims to a malicious landing page through no action of their own.

More information

[C307]
Fake Advertising Agency

Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs).

More information

[C601]
WebGL

WebGL APIs are heavily leveraged for device fingerprinting, because a device's graphics cards and their performance are highly variable and produce outputs that are in an entropy sweet spot.

More information

[C602]
User-Agent Fingerprinting

User-Agent Fingerprinting is a client-side check by which adversaries determine Browser types and versions they might potentially be attacking.

More information

[C603]
GeoIP Check

GeoIP is commonly used as a server-side check consisting of determining the geographical location of a potential target based on the IP address.

More information

[C606]
OS Fingerprinting

OS Fingerprinting is a check used to accurately determine the Operating system and its version of a target user.

More information

[C607]
HTTP Fingerprinting

HTTP Fingerprinting is a server side technique which consist of checking the HTTP protocol headers.

More information

[C612]
Browser Objects

Browser Objects are any objects that are native to a browser's implementation of JavaScript and/or the many APIs available to browsers.

More information

[C615]
Plugin Detection

The Browser Identification through Plugin Detection technique is employed by attackers to determine the type of browser a user is running based on the identified plugins. By leveraging the plugin's API, malicious websites can extract version information of installed plugins on the victim's system.

More information

[C701]
Code Obfuscation

Code Obfuscation applies to a broad category of techniques and tactics that are employed by attackers in order to make their code hard to read by human analysts.

More information

[C703]
Anti-Devtools

Anti-Devtools techniques are employed by attackers in order to disrupt the debugging process of the malicious code when browser dev tools are detected.

More information

[C704]
String Concatenation

String Concatenation is an obfuscation technique where strings are split into small chunks and added together so that the original strings will be difficult to search for during static analysis.

More information

[C705]
DOM Traversal

The Document Object Model (DOM) is a standard convention for accessing and manipulating elements within HTML and XML documents.

More information

[C707]
Reputable Ad Servers

Reputable Ad Servers encompass any ad serving platforms whose ad serving domains are "household names" in the Ad Tech industry.

More information

[C708]
Steganography

Steganography is the practice of concealing data inside files - typically images or binaries.

More information

[C715]
Security Vendor Detection

Malvertising security vendors typically have a client-side component for blocking malvertisements.

More information

[C717]
Automated Framework Detection

The Automated Framework Detection Avoidance technique is employed by attackers to identify and differentiate victims using automated testing frameworks, such as Selenium, while attempting to avoid detection and analysis. Attackers achieve this by utilizing JavaScript-based fingerprinting code within malicious websites or applications.

More information

[C811]
Giveaway Scam

We generalize these landing pages as Free iPhone Scams, but they often include a multitude of other products or product giveaways including tablets, computers, and other electronics or highend items.

More information

[C904]
Financial Loss

Financial Loss encompasses any attack whose impact results in lost money from the victim targeted by malvertisers.

More information

The Confiant Malvertising Attack Matrix has also been updated with this information and will be continuously updated as their payload continues to evolve.

Read the full report

The full analysis of the evolution of MutantBedrog so far is now available! It includes campaign volume and information about affected SSPs and DSPs, targeted regions/languages, an analysis of each major version of the payload, detailed explanations about the TTPs in use, as well as all known IOCs, creatives, and landing pages.

Want to learn more?

Read our Senior Security Engineer Eliya Stein's blog on the technical curiosities of MutantBedrog's client-side redirect payload.