Security researchers have warned of a new malvertising campaign using steganography techniques to target Apple users.
The VeryMal group has run multiple campaigns since August 2018, attempting to redirect users to the veryield-malyst domain, according to Confiant security engineer, Eliya Stein.
As many as five million users may have been subject to the most recent campaign, which used steganography to hide the payload from security tools.
“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” explained Stein.
“The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”
In this case the campaign is designed to drop a trojan known as Shlayer, an adware installer which uses “an atypical installation routine” in a bid to evade detection.
VeryMal campaigns are typically only active for a few days, in this case from January 11-13 on two top-tier exchanges representing around a quarter of the top 100 publisher sites, Stein added.
US-based Mac and iOS customers are the target for VeryMal.
The practice of steganography, in this case hiding JavaScript malware inside an image file, has become increasingly popular of late, according to Stein.
This could be hurting the ad industry dear. Confiant calculated the financial impact of just one day of this campaign at over $1.2m — factoring in publishers losing money from interrupted user sessions and increased use of ad blockers by disgruntled users in the future.
Ad exchanges also lose out from having inventory access cut off, and advertisers suffer ad fraud from infected devices, not to mention users with infected machines, explained Stein.
Confiant detected and blocked over 191,000 impressions across its publisher customers for this campaign, whilst a further two in December apparently yielded over 437,000 impressions.