Table of Contents
TL;DR
There was a campaign for a Fake Malware TOAD via Malvertizing.
Tactical Pause
THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.
Intro
This will document my analysis on a campaign to deliver a Fake Malware TOAD URL via Malvertizing. The malicious ads were served on federalpay[.]org. The thractor filters certain requests and I witnessed the malicious ads were up for around an hour.
Inspiration
Saw Luke Acha’s [1] post [2] on PrimePDFConvert.exe. It inspired me to check up on the latest malvertizing. I checked up on my tried and true domain for malvertizing leads: federalpay[.]org.
The Ads
This is what I was presented with.
Here’s another snip of another one from about the same time.
When clicking the link, or accessing the domain, it redirects you to this Fake Malware TOAD URL below.
hxxps://gjkabnguienbgjkw.blob.core.windows[.]net/$web/Wi0nHelpDigiErr0t030/index.html
TOAD Explained
TOAD stands for Telephone-Oriented Attack Delivery. The gist is that the thractor delivers a lure that instructs the user to call the thractor for follow-on activities.
Advertiser
The advertiser is “SYSTEM THINK, INC”. The snip below shows other ads by the advertiser.
Each ad listed in the snip above has a .site domain. Each of them lead to the same Fake Malware TOAD URL previously mentioned. Interestingly, as I was analyzing results between 0800-0915 HST, the ads disappeared, new ads appeared, and then eventually they were totally gone. As of writing at approximately 1000 HST, the advertiser only has one ad still up. It does not appear to be related. See the snip below.
Before the ads went down, I was able to jot a few. Although the ads are down, the sites are still redirecting to the Fake Malware TOAD site. See the IOCs list below for the rest of the redirecting sites.
Traffic Filtering
The thractor appears to filter traffic. The redirecting sites render a template page when accessed form urlscan or Silent Push. See the snip below for a urlscan example from the URL pasted below.
https://urlscan.io/result/019a9d3a-a120-73e8-ac64-c784c0082a18
When I access the redirector sites from my Flare VM, it redirected me to the Fake Malware TOAD URL. When I ran a IWR for the redirecting site, with a customized User Agent to masquerade as Chrome, it returned the template page.
Summary
This documented my analysis on a campaign to deliver a Fake Malware TOAD URL via Malvertizing. The malicious ads were served on federalpay[.]org. The thractor filters out scanners and returns a template response. Additionally, the thractor filtered out my PS IWR attempt. I witnessed the malicious ads up for around an hour.
IOCs
carinteriors[.]site
cozyworkspace[.]site
fitnessgadgets[.]site
fitnessgearhub[.]site
gymora[.]site
handmadecandles[.]site
handmadejewels[.]site
naturalskincare[.]site
safetravelgear[.]site
skincarekits[.]site
smartkitchenware[.]site
womenshandbags[.]site
gjkabnguienbgjkw.blob.core.windows[.]net
hxxps://gjkabnguienbgjkw.blob.core.windows[.]net/$web/Wi0nHelpDigiErr0t030/index.htmlReferences
1 – https://x.com/luke92881
2 – https://x.com/luke92881/status/1991153662782013561