A recent large-scale campaign named “ApateWeb” has been identified as a threat by cybersecurity experts. This campaign uses over 130,000 domains to distribute scareware, potentially unwanted programs, and other scam pages. The perpetrators of this campaign employ deceptive emails to entice individuals into visiting their malicious websites, redirecting them to their infrastructure, and delivering malware.
The sophisticated infrastructure of the ApateWeb campaign involves multiple layers and numerous redirections between the entry point and the delivery of the final payload. This campaign has been operating for three years, from 2022 to the present time.
The potential impact of this campaign is substantial, as it has been reported that hundreds of attacker-controlled domains rank among the top one million websites, attracting millions of unique visits each month.
Recently, reports on the ApateWeb campaign were shared with Cyber Security News, disclosing the complex infrastructure and workflow set up by threat actors to circumvent detection mechanisms. The campaign can be broken down into three layers.
The first layer (Layer 1) contains the entry point URLs distributed via email. Traffic is then routed through the second layer (Layer 2), which involves a series of redirections, including adware or anti-bot verification, before reaching the final layer (Layer 3). The final layer delivers the malicious payload, which could be scareware, a potentially unwanted program, or a scam page. Notably, 93% of the attacker-owned domains resolve to only 10 IP addresses, exposing the scope and reach of the campaign.
In the first layer, a variety of techniques are employed, including redirection to search engines, error message display for bots/crawlers, and the abuse of wildcard DNS to generate a large number of subdomains to evade detection. Additionally, this layer consists of the entry point URL and specific parameters. Failure of these URL parameters results in an error page or no content served to the victim. There is also an initial payload in this layer that assigns unique identifiers to each visitor.
The campaign entry point is just the beginning, as Layer 2 involves additional redirections to random domains before ultimately directing the traffic to Layer 3. Along the way, anti-bot verifications are performed, some of which require human interaction, such as CAPTCHA. Layer 3 acts as the final stage of the attack chain, serving as a webpage for downloading the malicious program. The campaign’s malicious payloads are hosted on public cloud environments and have also been found to be unwanted browsers and extensions.
The Unit 42 report provides detailed information regarding the URLs used, evasion tactics, and other pertinent details about the ApateWeb campaign. Additionally, the report includes indicators of compromise, example domains used, and IP addresses housing the campaign entry point.
With the discovery of this widespread and persistent ApateWeb campaign, cybersecurity professionals and organizations have been warned to remain vigilant and take appropriate measures to protect against the potentially harmful impact of this threat. By staying informed and up-to-date with the latest trends in cybersecurity, individuals and businesses can further strengthen their defenses against such malicious campaigns.