A malvertising group named VeryMal that targets Mac users has changed up its tactics, ditching steganography as its obfuscation technique. Instead, it’s using ad tags that fetch a payload from Google Firebase in order to redirect users to malicious pop-ups.

Confiant estimates that close to 1 million user sessions have been potentially been exposed to this malvertising campaign.

According to analysis from the firm this week, VeryMal has been using display-ad redirects to send unwitting web surfers to fake Flash updates. When someone clicks on a malicious ad on a website, a popup asking her to “update their Flash player” will appear. If she clicks yes, the payload is fetched and deployed—in this case, the Shlayer trojan. Shlayer leverages shell scripts to download additional malware or adware onto the infected system.

Confiant said that VeryMal’s campaigns have so far been widespread, Mac-focused and stealthy to date. They have also been incorporating steganography as an obfuscation technique to hide the redirection code. Steganography, the practice of hiding malicious code in image files, is becoming more prevalent given the rising sophistication of detection mechanisms – as Confiant points out, JavaScript obfuscators tend to leave artifacts: “a very particular type of gibberish that can easily be recognized by the naked eye,” the firm said.

While steganography remains an effective tactic for the bad guys, VeryMal has gone in a new direction of late, leveraging Google Firebase.

“True to their persistent nature, these forced redirect campaigns have not subsided, but the delivery mechanism continues to evolve in a new and clever direction,” Confiant researcher Eliya Stein said in a post on Tuesday. “Steganography is no longer part of the equation for the campaign that spawned the redirects…but rather a seemingly innocuous ad tag is to blame.”

Read Complete Article: https://threatpost.com/mac-focused-malvertising-campaign-abuses-google-firebase-dbs/143010/