VeryMal Strikes Again With a New Twist on Its Complex Redirect Attack

Sometimes… Oftentimes… They come back.

The redirect attacks, that is, something just about every publisher at AdMonsters’ Publisher Forum in Miami last week could attest to. And every one of those attendees has definitely thought to themselves, “Who the hell is doing this?”

Enter VeryMal, a relatively new malvertising group that’s been causing a great deal of havoc in 2019. On March 13, Confiant’s real-time malvertising scanner picked up a spike in redirects tied to Google’s Firebase, an evolution from VeryMal’s previous use of steganography.

However, the package delivered gave the culprit away: a forced redirect to a fake Flash installer that actually implants a Shlayer Trojan on a user’s device. Lasting around 36 to 48 hours, this attacked affected around 1 million users, with a taste for those on desktop Safari.

To learn more about the ne’er-do-wells behind the nuisance, we asked Confiant Senior Engineer Eliya Stein and CEO LD Mangin for more details on this latest attack and what makes VeryMal such a sophisticated attacker. We also got a peek into Confiant’s latest Demand Quality report (which we’ve written about before) and their mysterious new “Chief Quality Officer.”

GAVIN DUNAWAY: How do you know this latest round of malware attacks came from VeryMal? Do they have any signature “moves”?

eliya steinELIYA STEIN: There are multiple strong indicators that are specific to VeryMal:

  • Their payload redirects to an .icu domain with a fake Flash update.
  • Their fingerprinting checks for apple system fonts in the same manner that the previous VeryMal payload did.
  • We were able to extract their other (inactive) FireBase payloads and found their domain (veryield-malyst.com) as well as their old steganography payloads. This was the smoking gun.

GD: What makes VeryMal’s campaigns so sophisticated and what was new in this latest assault?

ES: VeryMal are actively exploring ad serving techniques that make their ads looks like legitimate, “vanilla” ad tech, and this is a prime example. On the surface this creative tag just looked like any other ad, but it happened to load a resource from Firebase.

Also, having seen that they have multiple versions of these payloads ready really illustrates that they are ready to pivot at a moment’s notice. They are bringing a certain level of clever innovation to malvertising.

GD: What is steganography, and why are malware artists switching to Firebase instead?

ES: Steganography in this context is the practice of hiding data inside image files. VeryMal were hiding JavaScript inside images and then executing that code inside the browser to perform forced mobile redirections to their malicious Flash installers.

One of the reasons to try other avenues like Firebase is that their other campaigns might be getting shut down at an increasing rate and impacting their ROI. Another reason is that when a resource is loaded from a Google domain such as Firebase, it tends to look legitimate.

GD: Can Google potentially shut down this avenue?

ES: Google is certainly able to shut down these specific incidents of Firebase abuse (and they do), but Firebase is just a datastore like any other, so it’s unclear if they’re able to shut down this entire “category” of abuse. The code that’s stored in Firebase is not malicious until it is extracted and executed inside a browser.

GD: You guys just released another Demand Quality report—what’s one of the big findings in this iteration?

LD Mangin_ConfiantLD Mangin: The industry as a whole saw more 500 billion fraudulent IBV and malicious impressions served during 2018 — one out of every 60 programmatic impressions. Also

  • The was a 31% increase in malvertising rates from Q1 to Q4
  • 90 Billion digital video impressions were made up of IBV fraud on publishers in Q4 of last year.
  • When it comes to malicious behavior, several European countries have taken the lead with Malicious Rates trending 80% higher than the US.
  • Looking now at the full year of malicious ad data and summarizing it by day of the week, we can conclusively see that the preferred day to attack is actually Sunday.

GD: At PubForum Miami, you announced that you’ve hired a Chief Quality Officer? What make this guy qualified for the job, and why is this an important role for the industry?

LD: Our new CQO, whose name we plan to release closer to his start date, has a prolific background in the space. As for the role, as we move away from quantity over quality in programmatic, I think we want to see more companies adopt the practice of hiring team members that can really ensure quality.