A malvertising group named VeryMal that targets Mac users has changed up its tactics, ditching steganography as its obfuscation technique. Instead, it’s using ad tags that fetch a payload from Google Firebase in order to redirect users to malicious pop-ups.
Confiant estimates that close to 1 million user sessions have been potentially been exposed to this malvertising campaign.
According to analysis from the firm this week, VeryMal has been using display-ad redirects to send unwitting web surfers to fake Flash updates. When someone clicks on a malicious ad on a website, a popup asking her to “update their Flash player” will appear. If she clicks yes, the payload is fetched and deployed—in this case, the Shlayer trojan. Shlayer leverages shell scripts to download additional malware or adware onto the infected system.
While steganography remains an effective tactic for the bad guys, VeryMal has gone in a new direction of late, leveraging Google Firebase.
“True to their persistent nature, these forced redirect campaigns have not subsided, but the delivery mechanism continues to evolve in a new and clever direction,” Confiant researcher Eliya Stein said in a post on Tuesday. “Steganography is no longer part of the equation for the campaign that spawned the redirects…but rather a seemingly innocuous ad tag is to blame.”
Read Complete Article: https://threatpost.com/mac-focused-malvertising-campaign-abuses-google-firebase-dbs/143010/