Publishers Targeted by GhostCat Malware
A malicious campaign that waged 13 attacks against hundreds of well-known publishers has been identified and put down by The Media Trust.
Rather appropriately for the Halloween season, the malware was given the name GhostCat-3PC by researchers in the Trust's Digital Security & Operations (DSO) team.
GhostCat-3PC ran behind an ad that used advanced, obfuscated code and delivery patterns to evade detection by the traditional signature-based ad blockers used by many of the publishers.
After a quick prowl to check if the user was on a list of targeted domains, GhostCat would initiate a fraudulent pop-up that, if clicked, led to malicious content.
The team discovered the malware in late August and observed it escalate its attack until well into September.
"What makes GhostCat-3PC unique is the scale of this highly orchestrated campaign, the sophistication of obfuscation techniques to outsmart security tools, and what appears to be an attempt to test and track the response of signature-based security defenses," Mike Bittner, The Media Trust's associate director of digital security and operations, told Infosecurity Magazine.
"Bad actors behind GhostCat-3PC know what blockers are present in these publications and are likely using these attacks as a kind of stress test to determine the risk of being discovered and impeded."
In a report published today, the DSO researchers explained how the creators of GhostCat hid malicious code inside seemingly innocuous code to get the malware past ad blockers.
The researchers wrote: "Most blockers work by detecting known malicious signatures found in an ad tag or on a publisher site. These signatures are typically static in nature and therefore must result in an exact match to the malicious code in order to be successful. Any change to the targeted code, no matter how minor, will prevent the blocker from producing a match to the specified signature."
The Media Trust sees an average of 1,000 active, unrelated incidents in any 24-hour period, and more than 170 newly minted malicious domains each day.
Asked how new ad blockers need to be to have any kind of effect against this continually evolving threat, Bittner told Infosecurity Magazine: "Pre-2019 blockers would be useless.
"Signature-based defenses like conventional blockers will have to update their keyword blocklists many times each day just to keep up with bad actors’ relentless assault. Just this past month, five premium publishers using conventional blocking solutions have had at least one major incident unrelated to GhostCat-3PC."
Source: Information Security Magazine