A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection. Named LuckyBoy, the multi-stage, tag-based campaign is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated over 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada.
According to security vendor Media Trust, the malware checks for a global variable ‘luckyboy’ that allows it to detect whether blockers, testing environments, and active debuggers are present on the device. If any is detected, the malware will not execute. Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates.
The LuckyBoy Malware is a Trojan that redirects the user's browsers to corrupted sites, such as fake update domains, and gives attackers information to compromise the device. The LuckyBoy Malware targets victims through malvertising (or 'corrupted advertising') content for mobile and gaming environments. Owners of at-risk devices can protect them with up-to-date and credible security solutions that are prepared to remove the LuckyBoy Malware and should monitor their Web-surfing for symptoms of website redirects.
Website redirects are not the only danger in the LuckyBoy Malware's payload. Although malware analysts have yet to find any in-depth backdoor features, it transfers over some system information to the attackers' servers, such as country codes, touch interface availability, and CPU core numbers. Generalized reconnaissance of this type often is a preliminary for additional attacks that drop other threats onto the system or completely take over the device.
LuckyBoy was observed operating in bursts: small campaigns are launched on Thursday nights, with only a few compromised tags, and continue throughout the weekend. Multiple checks are performed as the campaign advances through stages, with extensive code obfuscation and domain exclusion employed, and device-specific information extracted.
The harvested device data includes country code, window size, graphics information, number of CPU cores, battery level, current domain, plugins, the presence of webdriver, and whether touch is available, likely to set up for future attacks.The malware continuously performs checks to ensure that the value of the global variable remains ‘luckyboy’. Otherwise, the script stops execution and exits after delivering a clean creative to the user.
LuckyBoy is likely executing tests, probing to gauge their success before launching a broader attack. Campaign was confirmed to execute on tags wrapped with malware blocking code, bypassing these defenses as further evidence that its sophistication is impressive. The security firm says it is currently working with Google and TAG Threat Exchange to isolate the buyer and block them from launching these campaigns.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
https://www.securityweek.com/luckyboy-malvertising-campaign-hits-ios-android-xbox-users
Comments