RoughTed malvertising bypasses ad blockers, says Malwarebytes

The malvertising operation uses dynamic strings to bypass ad blockers like AdBlock Plus and uBlock Origin

The RoughTed malvertising operation has been in operation for at least a year, peaking in March 2017, and is notable for its scope and the wide number of users targeted. Malwarebytes first discovered RoughTed when investigating the Magnitude exploit kit, and has published an in-depth blog post on the topic.

Malvertising is the process of injecting adverts carrying malware into legitimate advertising networks. It is a complex system, although the best operations are difficult to track and shut down; and some, like RoughTed, bypass ad blockers.

Domains related to RoughTed gathered as many as half a billion hits over the last three months, says Malwarebytes, with malicious adverts installed on many thousands of publishers (sites carrying adverts, like news outlets) - some ranked in Alexa's top 500 websites. The payload can take a variety of forms, including exploit kits; scams; and malware.

Malwarebytes first saw a RoughTed domain as part of a redirection chain. The domain was calling out to an XML feed to serve adverts; however, because of the company's geolocation at the time (South Korea), it was redirected to the Magnitude exploit kit. Soon after, a similar redirection was found pointing to the RIG exploit kit.

Mining the data set exposed over a hundred other domains, mostly created in small batches using the EvoPlus registrar with a .ru or .ua email address, each responsible for at least five different domains. Each domain was (and is) being used as a gateway meant to bypass ad-blockers.

Clusters representing domain names are assigned to a unique registrant email

Each cluster of domain names was found to be using certain naming conventions, with one or two strings in different positions. For example, ‘getetafun.info', ‘getfuneta.info' and ‘fungetbag.info'. The same was true for separate domain clusters that do not share email addresses - certainly not a coincidence.

Spreading through Amazon

Most of RoughTed's traffic comes from publishers operating in the grey web: video streaming and file sharing sites, closely linked to URL shorteners. These sites have a high volume of traffic and generally low safety and quality standards.

Denis Sinegubko, a malware researcher at security firm Sucuri, shared his own RoughTed findings with Malwarebytes. He discovered that personal websites had also been infected: webmasters had knowingly integrated an ad-code script from advertising company Ad-Maven in an attempt to monetise their sites. Whether or not they knew that the script contained malicious code is not clear, but Ad-Maven specifically boasts about its ability to track users (fingerprinting) and bypass ad-blockers - so draw your own conclusions.

Scripts show cloudfront.net subdomains spreading using the Amazon CloudFront CDN, making Amazon a referrer to RoughTed.

Track and trace

The Ad-Maven code has been identified for its use of fingerprinting techniques: specifically ‘canvas fingerprinting', which is used by websites to identify and track visitors using HTML5's canvas element, instead of browser cookies. RoughTed uses this to identify users that might be lying about their browser or geolocation.

RoughTed redirections appear to take place even if the user is running software like Adblock Plus or AdGuard; an animation recorded by Malwarebytes shows this happening.

Sharing is caring

As we mentioned, the scope of RoughTed is one of its most interesting features. The operation does not target any single operating system or browser: there is a payload for everyone. Mac users, for example, are sent popups for a fake Flash Player update, while Windows users could be barraged with ‘updates' for anything, from Flash and Java to codecs.

Rogue Chrome extensions; forced redirections to ‘free' apps on iTunes or the app store (malvertising operators receive commission for each install); exploit kits; and, of course, the classic tech support scams have all been seen from RoughTed.

Round and round, again and again

Malvertising is not as easy as it appears on the surface; but, when a big case is uncovered, the publishers and advertising networks are blamed. End users have responded by moving, quite understandably, to ad blockers. This has in turn caused a response by companies requiring users to remove ad blockers before accessing content - the reasoning being that they should not get for free what cost the company money to produce.

Dynamically-created scripts to bypass ad blockers is a clever (and dangerous, if those ads contain malware) move. For example, the advertising code a publisher includes on their website is unique to them, and thus is less likely to be detected. The script pulls data from a new URL each day, so it is very likely that at least a few ads will get through.