{"id":7759,"date":"2017-05-25T07:10:20","date_gmt":"2017-05-25T15:10:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/25\/news-1544\/"},"modified":"2017-05-25T07:10:20","modified_gmt":"2017-05-25T15:10:20","slug":"news-1544","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/25\/news-1544\/","title":{"rendered":"RoughTed: The anti ad-blocker malvertiser"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 25 May 2017 14:00:52 +0000<\/strong><\/p>\n<p>RoughTed is a large malvertising operation that peaked in March 2017 but has been going on for at least well over a year. It is unique for its considerable\u00a0scope ranging from scams to exploit kits, targeting a wide array of users via their operating system, browser, and geolocation to deliver the appropriate payload.<\/p>\n<p>We estimate that the traffic via RoughTed related domains accumulated to over half a billion hits and was responsible for many successful compromises due to effective techniques that triage visitors and bypass ad-blockers.<\/p>\n<p>The threat actors behind RoughTed have been leveraging the Amazon cloud infrastructure, in particular, its Content Delivery Network (CDN), while also blending in the noise with multiple ad redirections from several ad exchanges, making it more difficult to identify the source of their malvertising activity.<\/p>\n<h3>Highlights<\/h3>\n<ul>\n<li>Traffic comes from thousands of publishers, some ranked in Alexa\u2019s top 500 websites.<\/li>\n<li>RoughTed domains accumulated\u00a0over half a billion visits in the past 3 months alone.<\/li>\n<li>Threat actors are leveraging\u00a0fingerprinting and ad-blocker\u00a0bypassing techniques upstream.<\/li>\n<li>RoughTed can deliver a variety of payloads for each platform: scams, exploit kits, and malware.<\/li>\n<\/ul>\n<h3>Campaign identification<\/h3>\n<p>While studying the Magnitude exploit kit, we came across an interesting redirection chain from a domain name called <em>roughted[.]com<\/em>, hence the nickname &#8216;RoughTed&#8217; we gave to this threat actor and campaign.<\/p>\n<pre><em>roughted.com\/?<span style=\"color: #ff0000\">&amp;tid=6<\/span>45131<span style=\"color: #ff0000\">&amp;red=1&amp;abt=0&amp;v=1.<\/span>10.59.18<\/em><\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-17962 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/roughtedflow.png\" alt=\"\" width=\"1882\" height=\"180\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/roughtedflow.png 1882w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/roughtedflow-300x29.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/roughtedflow-600x57.png 600w\" sizes=\"auto, (max-width: 1882px) 100vw, 1882px\" \/><\/p>\n<p>This domain was calling out to an XML feed to serve ads, but because of our geolocation at the time (South Korea), we were redirected to the Magnitude exploit kit via its pre-filtering gate, also known as \u2018<a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/magnitude-actor-social-engineering-scheme-windows-10\" target=\"_blank\" rel=\"noopener noreferrer\">Magnigate<\/a>\u2019.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-18114\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AWS_RoughTed.png\" alt=\"\" width=\"532\" height=\"545\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AWS_RoughTed.png 695w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AWS_RoughTed-292x300.png 292w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AWS_RoughTed-585x600.png 585w\" sizes=\"auto, (max-width: 532px) 100vw, 532px\" \/><\/p>\n<p>Over the course of a few days, we noticed a similar referer as <em>roughted[.]com<\/em>, with the same URL structure redirecting to the RIG exploit kit this time. Upon\u00a0mining\u00a0our data set, we started\u00a0seeing that pattern for over a hundred\u00a0other domains and mapped out some of the most prolific ones.<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-17965 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_domains.png\" alt=\"\" width=\"1376\" height=\"512\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_domains.png 1376w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_domains-300x112.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_domains-600x223.png 600w\" sizes=\"auto, (max-width: 1376px) 100vw, 1376px\" \/><em>Numbers above added up from SimilarWeb.com analytics.<\/em><\/p>\n<p>The majority of the domains were created via the EvoPlus registrar in small batches with a new <em>.ru<\/em> or <em>.ua<\/em> email address each time.\u00a0Another thing in common that these domains have is that they are being used as a gateway\u00a0meant to bypass ad-blockers (we will expand on that aspect later).<\/p>\n<p>The visualization below shows clusters representing domain names assigned to a unique registrant email.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/cluster.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-17967 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/cluster.png\" alt=\"\" width=\"706\" height=\"750\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/cluster.png 706w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/cluster-282x300.png 282w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/cluster-565x600.png 565w\" sizes=\"auto, (max-width: 706px) 100vw, 706px\" \/><\/a><\/p>\n<p>Within each cluster, we can see that the domain naming convention follows a certain pattern, with one or two strings being used in various positions. For example, below we have the strings &#8216;<em>get<\/em>&#8216; and &#8216;<em>fun<\/em>&#8216; used to build the domain name.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/single_cluster.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-18052 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/single_cluster.png\" alt=\"\" width=\"578\" height=\"259\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/single_cluster.png 578w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/single_cluster-300x134.png 300w\" sizes=\"auto, (max-width: 578px) 100vw, 578px\" \/><\/a><\/p>\n<p>This is in itself is not shocking (it could simply be a lack of imagination) but it becomes interesting when two separate\u00a0clusters are\u00a0semantically related (different registrant email but similar domain names). This\u00a0allows us to connect the campaigns together in yet another way (besides the URI patterns).<\/p>\n<p>For instance, let&#8217;s zoom in on two clusters that show different\u00a0email addresses. We see that the common string here is &#8216;<em>parser<\/em>&#8216; used in both and it is not just a &#8216;coincidence&#8217;.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/semantics.png\" data-rel=\"lightbox-2\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-18022 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/semantics.png\" alt=\"\" width=\"707\" height=\"522\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/semantics.png 817w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/semantics-300x222.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/semantics-600x444.png 600w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><\/a><\/p>\n<h3>Publishers<\/h3>\n<p>The term \u2018publisher\u2019 is commonly used in the advertising industry to refer to websites that display adverts to generate online revenues. Publishers are typically providers of content (news, media files, etc.) which drive people to visit them regularly. The cost of advertising is not only dependent on how popular a website is, but also on other variables which revolve around the kind of audience a publisher captures.<\/p>\n<p>The bulk of\u00a0the traffic for the RoughTed campaign comes from streaming video or file sharing sites closely intertwined with URL shorteners. These are areas where malicious actors love to lurk because of the sheer volume of traffic but also subpar standards for quality and safety of online advertising.<\/p>\n<p>Below are some domains we spotted\u00a0in our telemetry, ranking within Alexa\u2019s top 1000. Visitors to these sites are targeted with ads and in some cases, some that belong to the RoughTed campaign. We will detail later to what kind of content users were exposed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18070\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_pub.png\" alt=\"\" width=\"318\" height=\"298\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_pub.png 846w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_pub-300x282.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/top_pub-600x563.png 600w\" sizes=\"auto, (max-width: 318px) 100vw, 318px\" \/><\/p>\n<p>During our research, we spoke with\u00a0<a href=\"https:\/\/twitter.com\/unmaskparasites\" target=\"_blank\" rel=\"noopener noreferrer\">Denis Sinegubko<\/a> from website security company\u00a0<a href=\"https:\/\/blog.sucuri.net\/author\/denis\/\" target=\"_blank\" rel=\"noopener noreferrer\">Sucuri<\/a>\u00a0who\u00a0shared similar findings with how &#8216;personal&#8217; websites were involved in this malvertising campaign. Webmasters knowingly integrated an\u00a0<a href=\"https:\/\/pastebin.com\/raw\/m5UmjU3m\" target=\"_blank\" rel=\"noopener noreferrer\">ad code script<\/a> from advertising company Ad-Maven into their pages in order to monetize their website.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AdMaven.png\" data-rel=\"lightbox-3\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18082\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AdMaven.png\" alt=\"\" width=\"662\" height=\"344\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AdMaven.png 1648w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AdMaven-300x156.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/AdMaven-600x312.png 600w\" sizes=\"auto, (max-width: 662px) 100vw, 662px\" \/><\/a><\/p>\n<p>The obfuscated script above contains an algorithm to generate future Amazon S3 URLs, but the buckets are only created for the next 3-5 days.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/S3_Base64.png\" data-rel=\"lightbox-4\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18075\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/S3_Base64.png\" alt=\"\" width=\"699\" height=\"444\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/S3_Base64.png 1439w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/S3_Base64-300x191.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/S3_Base64-600x381.png 600w\" sizes=\"auto, (max-width: 699px) 100vw, 699px\" \/><\/a><\/p>\n<p>Each bucket contains a base64 encoded blurb which decodes to the current\u00a0<em>cloudfront.net<\/em> subdomain:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/base64decode.png\" data-rel=\"lightbox-5\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18073\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/base64decode.png\" alt=\"\" width=\"1621\" height=\"811\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/base64decode.png 1621w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/base64decode-300x150.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/base64decode-600x300.png 600w\" sizes=\"auto, (max-width: 1621px) 100vw, 1621px\" \/><\/a><\/p>\n<p>We have many examples of these <em>cloudfront.net<\/em> subdomains (leveraging the Amazon\u2019s Content Delivery System,\u00a0<a href=\"https:\/\/aws.amazon.com\/cloudfront\/\">Amazon CloudFront CDN<\/a>) seen as a referrer to RoughTed domains in our telemetry as well:<\/p>\n<pre>Refer: dh0uktvqfaomb.cloudfront.net\/br?<strong>tid=651488<\/strong>  -&gt; trandsey.info\/?&amp;pid=6&amp;<strong>tid=651488<\/strong>&amp;status=4&amp;subid=0&amp;info={redacted}.&amp;v=1.1.0.1&amp;_=1490387450476<\/pre>\n<h3>Fingerprinting and ad-blocking evasion techniques<\/h3>\n<p>There&#8217;s more within this code and it has been raising eyebrows for its <a href=\"https:\/\/gist.github.com\/seanl-adg\/e24e848497caec25f2137fb312b2893c\" target=\"_blank\" rel=\"noopener noreferrer\">invasive nature<\/a>, in particular for its\u00a0use of\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/exploits\/2016\/08\/browser-based-fingerprinting-implications-and-mitigations\/\" target=\"_blank\" rel=\"noopener noreferrer\">fingerprinting<\/a>\u00a0techniques, in that case,\u00a0\u2018<a href=\"https:\/\/en.wikipedia.org\/wiki\/Canvas_fingerprinting\" target=\"_blank\" rel=\"noopener noreferrer\">canvas fingerprinting<\/a>\u2019.<\/p>\n<p>We can see it\u00a0below again in a slightly different format (<em>admvn.js<\/em>) used by the URL shortener site<em> adf.ly<\/em> and redirecting users to a\u00a0RoughTed domain (<em>somethodox.info<\/em>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18067\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly.png\" alt=\"\" width=\"665\" height=\"387\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly.png 1072w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly-300x175.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly-600x349.png 600w\" sizes=\"auto, (max-width: 665px) 100vw, 665px\" \/><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly_view.png\" data-rel=\"lightbox-6\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18068\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly_view.png\" alt=\"\" width=\"654\" height=\"354\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly_view.png 2208w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly_view-300x162.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adfly_view-600x324.png 600w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><\/a><\/p>\n<p>The point is to profile users with great granularity and identify those that may be cheating the system by lying about their browser or geolocation.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18069\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/haslied_.png\" alt=\"\" width=\"349\" height=\"379\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/haslied_.png 830w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/haslied_-276x300.png 276w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/haslied_-552x600.png 552w\" sizes=\"auto, (max-width: 349px) 100vw, 349px\" \/><\/p>\n<p>Typically the User-Agent string can determine a visitor\u2019s OS and browser but it\u2019s trivial to fake the UA and lie to the server. One clever alternative is to look for installed fonts since they are specific to certain operating systems, i.e. a Mac user will have different fonts than a Windows user (thank you\u00a0<a href=\"https:\/\/twitter.com\/magicmac2000\" target=\"_blank\" rel=\"noopener noreferrer\">Manuel \u2018The Magician\u2019 Caballero<\/a> for pointing out this trick).<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/font_check.png\" data-rel=\"lightbox-7\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17971\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/font_check.png\" alt=\"\" width=\"525\" height=\"306\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/font_check.png 706w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/font_check-300x175.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/font_check-600x350.png 600w\" sizes=\"auto, (max-width: 525px) 100vw, 525px\" \/><\/a><\/p>\n<p>Another interesting aspect is that redirections to RoughTed domains seem to happen even to those running ad-blockers and that was reported by users of <a href=\"https:\/\/github.com\/jspenguin2017\/AdBlockProtector\/issues\/157\" target=\"_blank\" rel=\"noopener noreferrer\">Adblock Plus<\/a>,\u00a0<a href=\"https:\/\/github.com\/uBlockOrigin\/uAssets\/issues\/389\" target=\"_blank\" rel=\"noopener noreferrer\">uBlock origin<\/a>\u00a0or <a href=\"https:\/\/forum.adguard.com\/index.php?threads\/resolved-userscloud-com-missed-popups.19868\/\" target=\"_blank\" rel=\"noopener noreferrer\">AdGuard<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ublocko.png\" data-rel=\"lightbox-8\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17972\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ublocko.png\" alt=\"\" width=\"529\" height=\"236\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ublocko.png 1372w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ublocko-300x134.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ublocko-600x268.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ublocko-604x270.png 604w\" sizes=\"auto, (max-width: 529px) 100vw, 529px\" \/><\/a><\/p>\n<p>The animation\u00a0below shows a redirection to one of the RoughTed gates that bypass the ad blocker in Google Chrome (ABP is shown installed and activated at the top right) and ultimately pushes a bogus Chrome extension. All a user has to do is click anywhere on the first page\u00a0they visited and their browser will become hijacked.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17973\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/malvert_anti_adblock.gif\" alt=\"\" width=\"600\" height=\"338\" \/><\/p>\n<h3>Something for everyone<\/h3>\n<p>This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts.<\/p>\n<h4>Adware for Mac<\/h4>\n<p>This is a fake Flash Player update that targets Mac users and tricks them into believing that the file comes from Apple. As a rule of thumb, you should really only download software updates from the original manufacturer, not some third-party. Unfortunately, crooks can easily create deceiving pages or scare users into installing a fraudulent piece of software.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Mac.png\" data-rel=\"lightbox-9\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17974\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Mac.png\" alt=\"\" width=\"526\" height=\"357\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Mac.png 892w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Mac-300x203.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Mac-600x407.png 600w\" sizes=\"auto, (max-width: 526px) 100vw, 526px\" \/><\/a><\/p>\n<h5>Traffic view<\/h5>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/traffic_Mac.png\" data-rel=\"lightbox-10\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17975\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/traffic_Mac.png\" alt=\"\" width=\"678\" height=\"110\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/traffic_Mac.png 1156w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/traffic_Mac-300x49.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/traffic_Mac-600x98.png 600w\" sizes=\"auto, (max-width: 678px) 100vw, 678px\" \/><\/a><\/p>\n<h4>PUPs for Windows<\/h4>\n<p>There are countless fake updates for Flash, Java, not to mention all those &#8216;special&#8217; codecs for Windows. The following page urges users to install a Java update which is laced with adware. When it comes to Java, it&#8217;s usually better not having it in the first place, let alone installing some shady updates.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Java.png\" data-rel=\"lightbox-11\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17977\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Java.png\" alt=\"\" width=\"524\" height=\"337\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Java.png 1980w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Java-300x193.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Java-600x386.png 600w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/a><\/p>\n<h5>Traffic view<\/h5>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17978\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficJava.png\" alt=\"\" width=\"675\" height=\"226\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficJava.png 1160w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficJava-300x100.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficJava-600x201.png 600w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/p>\n<h4>Rogue\u00a0Chrome extensions<\/h4>\n<p>There is no question that Chrome is one of the safest browsers but unfortunately, malware purveyors and other ill-intent advertising companies are aggressively pushing rogue extensions that can collect or even modify the\u00a0data on the sites you visit. Malvertising is a prime distribution method for bogus Chrome extensions which are <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/11\/forced-into-installing-a-chrome-extension\/\" target=\"_blank\" rel=\"noopener noreferrer\">pushed in a forceful way<\/a>, leaving users little choice but to install them, in some cases.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ChromeExtension.png\" data-rel=\"lightbox-12\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17979\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ChromeExtension.png\" alt=\"\" width=\"523\" height=\"335\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ChromeExtension.png 1946w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ChromeExtension-300x192.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ChromeExtension-600x385.png 600w\" sizes=\"auto, (max-width: 523px) 100vw, 523px\" \/><\/a><\/p>\n<h5>Traffic view<\/h5>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17980\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficChromeExtension.png\" alt=\"\" width=\"660\" height=\"99\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficChromeExtension.png 1182w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficChromeExtension-300x45.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TrafficChromeExtension-600x90.png 600w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<h4>Undesired redirections to\u00a0iTunes\/app store<\/h4>\n<p>There is a large quantity of &#8216;free&#8217; apps out there, both for iOS and Android and their business model is either via in-app adverts or add-ons you can purchase. Some apps go one step too far by making the game too hard to beat without buying a certain item (this is also known as &#8216;pay-to-play&#8217;). But after all, it is up to users to make that choice to download those apps and opt for such\u00a0purchases.<\/p>\n<p>However, malvertising murks the waters by doing some automated redirections to some &#8216;random&#8217; apps and generating\u00a0commissions for each install.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/itunes_.png\" data-rel=\"lightbox-13\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17992\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/itunes_.png\" alt=\"\" width=\"524\" height=\"350\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/itunes_.png 1906w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/itunes_-300x201.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/itunes_-600x401.png 600w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/a><\/p>\n<h5>Traffic view<\/h5>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17982\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/trafficitunes.png\" alt=\"\" width=\"661\" height=\"145\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/trafficitunes.png 1150w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/trafficitunes-300x66.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/trafficitunes-600x131.png 600w\" sizes=\"auto, (max-width: 661px) 100vw, 661px\" \/><\/p>\n<h4>Tech support scams<\/h4>\n<p>Tech support scams have long been feeding off malvertising and targeting many different countries. Therefore it\u2019s not surprising to see cases here via RoughTed as well.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/red_TSS.png\" data-rel=\"lightbox-14\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18078\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/red_TSS.png\" alt=\"\" width=\"524\" height=\"301\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/red_TSS.png 899w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/red_TSS-300x172.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/red_TSS-600x344.png 600w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/a><\/p>\n<h5>Traffic view<\/h5>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18079\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Traffic_red_TSS.png\" alt=\"\" width=\"583\" height=\"190\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Traffic_red_TSS.png 583w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Traffic_red_TSS-300x98.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/p>\n<p>Security researcher <a href=\"https:\/\/twitter.com\/malekal_morte\" target=\"_blank\" rel=\"noopener noreferrer\">Malekal<\/a>\u00a0<a href=\"https:\/\/twitter.com\/malekal_morte\/status\/861956582808203265\" target=\"_blank\" rel=\"noopener noreferrer\">tweeted<\/a> about a Tech Support Scam (TSS) campaign targeting French people. He points at the heavily obfuscated code and we can spot\u00a0a RoughTed domain (<em>suspecial.info<\/em>) in his screenshot within the HTTP traffic.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TSS_fr.png\" data-rel=\"lightbox-15\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17983\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TSS_fr.png\" alt=\"\" width=\"522\" height=\"334\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TSS_fr.png 1948w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TSS_fr-300x192.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/TSS_fr-600x384.png 600w\" sizes=\"auto, (max-width: 522px) 100vw, 522px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/tweet.png\" data-rel=\"lightbox-16\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17984\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/tweet.png\" alt=\"\" width=\"524\" height=\"459\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/tweet.png 1576w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/tweet-300x263.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/tweet-600x525.png 600w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/a><\/p>\n<h4>Surveys and other scams<\/h4>\n<p>Fake surveys or lottery pages are also common place via malvertising. In this particular sequence,\u00a0we ran into <a href=\"https:\/\/www.riskiq.com\/research\/notrove-scam-empire\/\" target=\"_blank\" rel=\"noopener noreferrer\">NoTrove<\/a> (a campaign first reported by RiskIQ).<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove.png\" data-rel=\"lightbox-17\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18107\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove.png\" alt=\"\" width=\"530\" height=\"295\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove.png 1005w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove-300x167.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove-600x334.png 600w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><\/a><\/p>\n<h5>Traffic view<\/h5>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18108\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove_traffic.png\" alt=\"\" width=\"587\" height=\"118\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove_traffic.png 876w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove_traffic-300x60.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/notrove_traffic-600x121.png 600w\" sizes=\"auto, (max-width: 587px) 100vw, 587px\" \/><\/p>\n<h4>Exploit kits<\/h4>\n<p>According to our telemetry records, the majority of victims impacted by exploit kits via\u00a0the RoughTed malvertising campaign were in the US and Canada, followed by the U.K., Italy, Spain, and Brazil.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17985\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/map.png\" alt=\"\" width=\"658\" height=\"406\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/map.png 799w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/map-300x185.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/map-600x370.png 600w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/p>\n<h4>RIG EK<\/h4>\n<p>One very active malware campaign as of late is known as \u201c<a href=\"https:\/\/umbrella.cisco.com\/blog\/blog\/2017\/03\/29\/seamless-campaign-delivers-ramnit-via-rig-ek\/\" target=\"_blank\" rel=\"noopener noreferrer\">Seamless<\/a>\u201d and has pushed a lot of the <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/exploits-threat-analysis\/2017\/03\/canada-u-k-hit-ramnit-trojan-new-malvertising-campaign\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ramnit<\/a> banking Trojan, especially to Canadian users. It is easily recognizable by its\u00a0use of <a href=\"https:\/\/blogs.msdn.microsoft.com\/ieinternals\/2014\/03\/06\/browser-arcana-ip-literals-in-urls\/\" target=\"_blank\" rel=\"noopener noreferrer\">IP-Literal hostnames<\/a> that redirect to the RIG EK infrastructure.<\/p>\n<p>Much of the upstream traffic comes from adult portals and popunder ad networks. Here you can see\u00a0RoughTed involved in the ad call and chain via interesting multi-step hops leading to the Seamless campaign.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/RIG_EK.png\" data-rel=\"lightbox-18\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17986\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/RIG_EK.png\" alt=\"\" width=\"1616\" height=\"496\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/RIG_EK.png 1616w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/RIG_EK-300x92.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/RIG_EK-600x184.png 600w\" sizes=\"auto, (max-width: 1616px) 100vw, 1616px\" \/><\/a><\/p>\n<p>If you want to check the full redirection flow, please click\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/flowtoRIG.png\" data-rel=\"lightbox-19\" title=\"\">here<\/a>.<\/p>\n<h4>Magnitude EK<\/h4>\n<p>Magnitude EK has long been faithful to the Cerber ransomware as its dropped payload of choice. The bulk of infections are happening in South Korea, some in Taiwan and Hong Kong, and curiously, a few in Italy. The screenshot below is an example of a Cerber infection on a Korean user via the Magnitude exploit kit.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Cerber.png\" data-rel=\"lightbox-20\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17988\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Cerber.png\" alt=\"\" width=\"524\" height=\"283\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Cerber.png 1918w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Cerber-300x162.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/Cerber-600x324.png 600w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/a><\/p>\n<h5>Traffic view<\/h5>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/MagnitudeEK.png\" data-rel=\"lightbox-21\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-17989\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/MagnitudeEK.png\" alt=\"\" width=\"827\" height=\"164\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/MagnitudeEK.png 1600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/MagnitudeEK-300x60.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/MagnitudeEK-600x119.png 600w\" sizes=\"auto, (max-width: 827px) 100vw, 827px\" \/><\/a><\/p>\n<h3>Same old, same old<\/h3>\n<p>Malvertising may look\u00a0easy on the surface but is actually a much more complex and deep-rooted issue. We all know that it&#8217;s there and whenever a big case is uncovered, ad networks (and publishers)\u00a0are blamed and it somewhat taints their brand for a little while.<\/p>\n<p>But for the most part, malvertising continues unabated, especially with certain providers. The response from end users has traditionally been to gravitate towards ad-blockers as a means to avoid getting infected or bothered by obnoxious adverts.<\/p>\n<p>Naturally, this has caused a similar knee-jerk reaction by some publishers and ad companies\u00a0to fight back in various ways to protect their business. The rationale behind\u00a0it is that people shouldn&#8217;t be getting free content that costs them money to come up with and host.<\/p>\n<p>The use of dynamically created\u00a0scripts to perform redirections that bypass ad-blockers are clever in many ways. For one, when a publisher includes the code on their site, it\u00a0is unique to\u00a0them as it is generated in their own dashboard, and by the same token, it is\u00a0less likely to be detected. The script itself pulls data from a new URL every day which means blocking new domains is truly a cat and mouse game that guarantees a sufficient enough up time to serve up ads.<\/p>\n<p>It becomes a real issue when this ad-supported content pushes scams or malware, even to those running an ad-blocker. At this point, one should ask themselves who really is responsible: ad networks (which are fending for themselves) or publishers (and site owners)\u00a0that knowingly expose their visitors to nefarious code\u00a0for the sake of ad revenues.<\/p>\n<hr \/>\n<p><em>Thanks to <a href=\"https:\/\/twitter.com\/unmaskparasites\" target=\"_blank\" rel=\"noopener noreferrer\">Denis<\/a> from Sucuri for sharing his insights\u00a0into injected adverts in personal websites.<\/em><\/p>\n<h3><strong>Indicators Of Compromise (IOCs)<\/strong><\/h3>\n<p>Regex to detect RoughTed campaign<\/p>\n<pre>&amp;tid=6[0-9]{5}&amp;(status|red)=[0-9]{1,2}&amp;(info|ref|subid|abt|v)<\/pre>\n<p>Top RoughTed domains (by traffic)<\/p>\n<pre>histock.info  charmstroy.info  greatwork.info  yoursinfo.info  leversions.info  modescrips.info  beershavartb.com  budgement.info  octagonize.com  contentpap.info<\/pre>\n<p>A longer\u00a0list can be found <a href=\"https:\/\/gist.github.com\/malwareinfosec\/73d10721cdb9868a05baff6a59a6bcbc#file-roughted_list\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<p>Mac PUP (<em>FLVPlayer.dmg<\/em>)<\/p>\n<pre>5170de1236854a73fa4c964044347142788a1d89adfa7f99704fc661620a9bd1<\/pre>\n<p>Windows PUP (<em>VideoPlayerSetup.exe<\/em>)<\/p>\n<pre>4ac4e1ebb3b51406a10f3826e048e639b1b473d53e42877bc3fef4455cb99bdc<\/pre>\n<p>Chrome extension (ABP bypass)<\/p>\n<pre>chrome.google.com\/webstore\/inlineinstall\/detail\/oihncglcaajcdibgcmdeioodpkpnnafn<\/pre>\n<p>Chrome extension (SearchApp)<\/p>\n<pre>chrome.google.com\/webstore\/detail\/cjdnjcibbanenpflghdngkcdphpnenaf<\/pre>\n<p>iTunes redirection<\/p>\n<pre>itunes.apple.com\/app\/apple-store\/id1095254858?mt=8<\/pre>\n<p>Tech support scam<\/p>\n<pre>windows-micro-soft-cure.com  3095web.xyz\/gunzaofr\/index.html<\/pre>\n<p>RIG EK<\/p>\n<pre>Method,IP address,Domain name,Comments  52.84.133.139,roughted.com,RoughTed   198.134.116.30,xml.ad-maven.com,Redirection  52.86.58.112,emj38.voluumtrk.com,Malvertising  52.28.7.230,nbfb6.redirectvoluum.com,Malvertising  POST,193.124.18.68,193.124.18.68,Seamless_Campaign_URL  52.58.225.210,nbfb6.voluumtrk.com,Malvertising  193.124.200.212,193.124.200.212,Seamless_Campaign_URL  193.124.18.68,193.124.18.68,Seamless_Campaign_URL  109.234.36.58,top.onlineboatinsurancesanantonio.com,RIG_EK_URL (Flash Exploit)  109.234.36.58,top.onlineboatinsurancesanantonio.com,RIG_EK_URL (Landing Page)  109.234.36.58,top.onlineboatinsurancesanantonio.com,RIG_EK_URL (Malware Payload)    Ramnit: cc4c5eabb76ebca1bc3af1d8e8a6629e72164f9ae0fc61287592548288937220<\/pre>\n<p>Magnitude EK<\/p>\n<pre>Method,IP address,Domain name,Comments  54.230.249.46,roughted.com,RoughTed   174.137.155.139,xml.pdn-1.com,Malvertising  94.228.223.243,besttovapez.com,Magnigate  94.228.223.245,43dcp5wceag93.doebulk.com,Magnigate  37.59.186.134,19fd6r50gemdb491z.wireits.loan,Magnitude_EK_Code (Landing Page)  37.59.186.134,19fd6r50gemdb491z.wireits.loan,Magnitude_EK_URL (Flash Exploit)  37.59.186.134,37.59.186.134,Magnitude_EK_URL (Kernel32 call)  37.59.186.134,37.59.186.134,Magnitude_EK_URL (Malware Payload)    Cerber: d9411664ad6f1451b7cbd2a9453e5824d566535bae480dfe533cda7e0bef0ae7<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/05\/roughted-the-anti-ad-blocker-malvertiser\/\">RoughTed: The anti ad-blocker malvertiser<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/05\/roughted-the-anti-ad-blocker-malvertiser\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 25 May 2017 14:00:52 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/05\/roughted-the-anti-ad-blocker-malvertiser\/' title='RoughTed: The anti ad-blocker malvertiser'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/shutterstock_326747183-1.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>A look at RoughTed, a purveyor of ad-blocker aware malvertising responsible for a range of scams, exploits, and malware.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/malware\/\" rel=\"category tag\">Malware<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/ad-maven\/\" rel=\"tag\">ad-maven<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/adware\/\" rel=\"tag\">adware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kits\/\" rel=\"tag\">exploit kits<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploits\/\" rel=\"tag\">exploits<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/magnitude\/\" rel=\"tag\">Magnitude<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising\/\" rel=\"tag\">malvertising<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pups\/\" rel=\"tag\">PUPs<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig\/\" rel=\"tag\">RIG<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/roughted\/\" rel=\"tag\">RoughTed<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scams\/\" rel=\"tag\">scams<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tech-support-scams\/\" rel=\"tag\">tech support scams<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trojan\/\" rel=\"tag\">trojan<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/05\/roughted-the-anti-ad-blocker-malvertiser\/' title='RoughTed: The anti ad-blocker malvertiser'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/05\/roughted-the-anti-ad-blocker-malvertiser\/\">RoughTed: The anti ad-blocker malvertiser<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[12365,10468,4503,10528,10987,7871,10531,3764,2130,11589,12366,10574,10577,10833],"class_list":["post-7759","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-ad-maven","tag-adware","tag-cybercrime","tag-exploit-kits","tag-exploits","tag-magnitude","tag-malvertising","tag-malware","tag-pups","tag-rig","tag-roughted","tag-scams","tag-tech-support-scams","tag-trojan"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7759"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7759\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7759"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}