A recently classified malvertising campaign targeting mobile and other connected devices consumers makes heavy use of obfuscation and cloaking to avoid detection.
Dubbed LuckyBoy, the multi-stage, tag-based throw is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated upward of 10 Demand Side Platforms (DSP), primarily Europe-based, with abide by campaigns impacting users in the U.S. and Canada.
According to security vendor Conveyance Trust, the malware checks for a global variable ‘luckyboy’ that allows it to detect whether blockers, check up on environments, and active debuggers are present on the device. If any is detected, the malware won’t hack out.
Should it run on a target environment, the malware executes a tracking pixel show to redirect the user to malicious content, including phishing pages and imitation software updates.
LuckyBoy was observed operating in bursts: small manoeuvres are launched on Thursday nights, with only a few compromised tags, and extend throughout the weekend.
Multiple checks are performed as the campaign advances throughout stages, with extensive code obfuscation and domain exclusion used, and device-specific information extracted.
The harvested device data includes mother country code, window size, graphics information, number of CPU cores, battery focus be, current domain, plugins, the presence of webdriver, and whether touch is nearby, likely to set up for future attacks.
The malware continuously performs checks to make safe that the value of the global variable remains ‘luckyboy’. Otherwise, the script pauses execution and exits after delivering a clean creative to the user.
“LuckyBoy is apposite executing tests, probing to gauge their success before runabout a broader attack. Campaign was confirmed to execute on tags wrapped with malware balk code, bypassing these defenses as further evidence that its intricacy is impressive,” The Media Trust notes in a report shared with SecurityWeek.
The sanctuary firm says it is currently working with Google and TAG Threat Reciprocation to isolate the buyer and block them from launching these campaigns.
Connected: Recently Disclosed WordPress Plugin Flaws Exploited in Malvertising Worker
Related: U.S. Charges Ukrainian for Malvertising
Related: Tools Used in GhostDNS Router Hijack Races Dissected