Guardio has been tracking, for several months now, one of the biggest malware spreading campaign ever seen targeting as high as hundreds thousand users per day! In this write-up we will share insights and detailed analysis on how exactly those bad actors managed to spread and deploy this army of infected computers, shifting and altering their deceptive malvertising operation along the way to optimize and elude conventional detection methods and mechanisms.
As early as January 2022 we first observed a very heavily downloaded ISO file with the same Modus Operandi. ISO Files — archive files used to duplicate data from disk drives — are heavily abused lately by bad actors as containers for malevolent program bundles. In this campaign, the filename was changing and so did the final size and hash signature of the ISO archive, yet it was quickly unveiled using our data and behavioral analysis that these suspicious files originated from the same bad actor. Not only downloaded from a common list of freshly registered domains but also propagating using very similar malvertising campaigns leveraging the originating sites' metadata about visitors to manipulate and deceit.
Adding to the above, the magnitude of the phenomena — an approximation at a scale of around 100k+ hits a day — is a never seen before scaled operation suggesting many aspects are taken care of — from distribution, redundancy, covertness, and of course powerful and probably quite evil monetization techniques.
We continue to follow closely and block those and any other variant of the malicious ISO files, yet this activity is still ongoing since January 2022, taking new forms and shapes along the way.
We took a step back and examined the operation from the propagation point of view and unearthed their methods which indeed utilize advertisement technology in order to get to as many deployments as possible. Most if not all websites today monetize traffic using one of many ad-tech services. Some ads are pleasant and harmless, others are much more forceful (new tabs opening, pop-ups), and moving to the extreme one will also find some spicing it up with a bit of deception. The ISOtonic campaign is leveraging this to the extent, as we can see in this example of a common propagation flow with some of the top visited publishers' domains:
An example of how tons of tracking data is being forwarded to the malvertiser can be seen in this example URL called by the advertisement infrastructure from a publisher site to the ad-network routing service (in this case over a freshly created tab). Note how the relevant content on the publisher's current webpage is being forwarded, as well as the actually suggested filename:
https://reukandthis[.]xyz/?cs=a2xMZFZfVXhUYF1cfVNuUlx7UGY&abt=0&red=1&sm=16&k=2022 evil dead game drop boost performance optimization link download&v=1.34.27.1&sts=0&prn=0&emb=0&tid=951554&inc=14&u=466215146980128&agec=1655732783&fs=1&mbkb=531.9148936170212&file=Uncharted: Legacy of Thieves Collection Startup Crash Fix PC | Black Screen Fix 2022 Link 1&ref=https://www.possiblenow.xyz/2022/05/evil-dead-game-fps-drop-fix-boost-fps.html&osr=www.possiblenow.xyz&jst=0&enr=0&lcua=mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/102.0.0.0 safari/537.36&tzd=-4&uloc=&if=0&ct=5&ctc=8&_TwFt=1655733070260&utr1=00:00:17&utr2=173&utr3=0&utr4=0&utr5=0&utr6=0&utr7=12
Most significant query strings for reference:
k = 2022 evil dead game drop boost performance optimization link download
agec = 1655732783
fs = 1
mbkb = 531.9148936170212
file = Uncharted: Legacy of Thieves Collection Startup Crash Fix PC | Black Screen Fix 2022 Link 1
ref = https://www.possiblenow.xyz/2022/05/evil-dead-game-fps-drop-fix-boost-fps.html
The above will route to the winning advertiser who won the bid for this ad spot, in this case, our malvertiser’s landing page (Level2) as seen in these examples:
Those pages are served by a huge list of altering domains (more on that later on) controlled by those bad actors. Interesting to see how easily they generate those landing pages with relevant tracking data — one example for this landing page deceptive advertisement page:
https://tioniamcurrentl[.]xyz/lp?cms=NTY5NjMHAgoBAAACDQUDAQABBgsHBQoATwwDAQcCBkoIAAYADgAAAgAARQ%3D%3D&fn=Your%20File%20Is%20Ready%20To%20Download&lpn=stepswin&extt=search-good.com%2F%3Ftid%3D952736
cms = NTY5NjMHAgoBAAACDQUDAQABBgsHBQoATwwDAQcCBkoIAAYADgAAAgAARQ==
fn = Your File Is Ready To Download
lpn = stepswin
extt = search-good.com/?tid=952736
Those are “disposable” URLs, valid for several seconds only after being generated following the advertisement referral, avoiding crawlers and security scans. lpn
is one of many different-looking landing page themes, extt
and cms
used for tracking and affiliation and of course fn
is the generated filename.
The filename generation is one of the most powerful tools to create trust. At the beginning of this campaign, most of the files were named simply serve.iso
and later on download.iso
or a generic Your File Is Ready To Download.iso
. As the campaign progressed it started leveraging more and more this filename deception concept. Here you can see some of the most popular filenames in the past few months, whereas we’ve observed at least 15,000 unique filenames to date! Notice those file names originate mostly from movies and gaming:
Adding to the above, the ISO files were auto-generated in different file sizes and other variants. This hides underneath a sophisticated mechanism to generate on-request malware containers that fight back on traditional antivirus sensors using hash signatures as well as specific binary fingerprints (more on that on ISOtonic Part 2). You can see the distribution of file sizes span here, indicating several significant strains and minor variations being used:
And the above is heavily targeting one specific user segment — the US. We do see some “leftovers” going to other neighbors and some central European countries. Still, it is very obvious that this bad actor is targeting specifically US devices as seen in this distribution map:
Let’s explore a bit more about how this campaign started and shifted along the way:
The campaign started with a bang! From day one we see a scale of ~500kdownloads per day. This stage is distinguished by the use of .com
domains for both level 2 landing pages as well as level 1 hosting the malware itself. Those.com
domains are used to raise the reputation of this flow (.com
domains are more expensive and mainstream than, for example, the infamous .xyz
). An example of a download link is this simple URL being called from the malicious advertisement landing page (level2) as we’ve seen above:
https://ckgrounda[.]com/Your File Is Ready To Download.iso
Interesting to see how those .com
domains were used sporadically — lowering the noise and attention they gain to keep those domains un-blocked by traditional security mechanisms. This actually worked for several months as those domains were accessible and fully operational, serving an average of ~600k ISO files each!
In the following chart, you can see some examples of domains and their usage distribution. In blue is the amplitude — days between first and last sighting, while in red is the total specific days we’ve seen the domain actually getting hits. This almost always averages on 2 days in total and is never seen again (at least for this campaign), so just think about how many .com
domains were actually used here!
Around late April, we tracked a noticeable shift from .com
domains to the public suffix of .xyz
. Adding to that, an even more sporadic behavior started to emerge:
Another interesting bit to mention is how the conversion rate (how many actually continue and fully downloaded the malicious ISO file) fell repeatedly during this stage which may indicate that the conventional detection method started to cope with this threat, getting suspicious files blocked by built-in protections in browsers. The move to .xyz
domains is also a direct consequence of domains starting to get blocked. Think about how many unique domains those actors need to purchase in order to get this operation up and running during this race. Yet, they are adjusting and maintaining the lead here for now.
Here we can see the use of the unique domain suffixes on the malware-hosting domains (Level 1) from the beginning of the operation till late June, per day:
There are fewer domains used per day in this second stage, yet those domains are one-timers and will never be used again!
By this stage, seems like the bad actors realized they need yet another reshuffle in their ops to gain the lead. It’s impossible to continue and use more and more new domains for barely several hours until blocked and throw them away. So the first thing they do is consolidated level1 and level2 domains — using one domain for both the landing page and file hosting.
This can be realized in this graph spanning the entire operation lifespan, focusing on level 2 domains:
It starts with s test round, in which it seems like the bad actors are “feeling the vibe” of their new concept as well as some of their pre-owned domains stored for this operation. For a week or so they are bombarding with many different new domains (this is the peak in the graph above), using them for an even shorter time span and moving to another domain. As if they are trying to find the optimal average time they can abuse this domain until blocked. After several days of trial and error, they get back to the optimal point by using the domains for several hours each per day — with more domain suffixes being used, and fewer domains in general (due to the consolidation).
You can see some of those Stage III domains and their life span, in minutes, revealing how dynamic this operation is:
And no, this is not a mistake — August is indeed almost entirely blank. We don’t know the exact reason, yet malvertising campaigns usually hit for several days and stop (as they are quite costly!) yet this campaign is steady and fully throttled for months and months! They seem to stop to regroup in August, re-calculating profit vs. cost, and we do see they got back online, in lower numbers (yet still relatively high!) into September and counting.
This campaign is special on so many levels. Starting with its intensity, it’s length, and versatility and continuing with how it always wins the race against conventional security measures by shifting shapes both in the distribution campaign but also on the malicious payload itself (See ISOTonic Part 2).
One last interesting insight is how it retained a high (sometimes unbelievable) conversion rate that indicates the percentage of users that were presented with that deceptive landing page and actually downloaded the malicious ISO file. Here we can see how this is being handled carefully and effectively by the threat actors:
Starting with around 60% conversion rate (!!!) and slowly declining due to protection activities starting to kick in. See how it declines yet remains always steady around 35%! Before their “summer vacation”, we see how it declined even more to ~15%, this is exactly where they decided to take a break and recalibrate. And as you can see, it helped! After a few weeks, getting back to the average of 30%!
It’s amazing to see how simple activities (and lots of money…) can quite easily evade traditional security measures. The race is tight but those actors managed to keep the lead for months and counting! With hundreds of millions of downloads estimated, we can also quite easily estimate that there are millions of currently active infected computers out there — fully controlled and abused by this threat actor that can do whatever they want and harvest more and more profit.
Continue reading part 2 to see what’s inside that ISO file :
ISOtonic Part 2 — The Army of Bots
Following is a listing of many of the abused domain names on each level of this campaign for reference.
Level 1 Domains (Hosting ISO Files): https://gist.github.com/bizzo6/ecc365a6dfb5fa896dc2e6315aa1f6fe
Level 2 Domains (Landing pages / Malvertising): https://gist.github.com/bizzo6/b20e42f24b4800dad8333c9649f55959