LuckyBoy Malvertising Campaign Employs Cloaking and Obfuscation Techniques

A heavily obfuscated, multistage, tag-based malvertising campaign, dubbed LuckyBoy, has been found afflicting iOS, Android, and Xbox users recently. Media Trust researchers have released a report on the LuckyBoy campaign.

Key findings

First detected in early December 2020, the cross-platform malvertising campaign, LuckyBoy, has been using digital advertising to propagate and target mobile and other connected device users. 
  • The campaign has quickly escalated to penetrate more than 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada.
  • The use of extensive code obfuscation, domain exclusion, and multiple cloaking tactics enables the campaign to avoid detection. 

Modus Operandi

  • LuckyBoy has been observed using a tracking pixel to redirect the victim to malicious phishing sites or bogus software updates.
  • The campaign employs extraction techniques to harvest device-specific data, including battery level, country code, graphics information, number of CPU cores, window size, current domain, and plugins, likely for future attacks.

Other recent similar campaigns

  • In January, the KovCoreG group was discovered running malvertising campaigns by using fake critical Firefox and Chrome update alerts to distribute the hazardous Kovter.C Trojan.
  • In November, a malvertising campaign dubbed Malsmoke was observed redirecting adult website visitors to malicious websites serving up the well-known Zloader malware.

Malvertising - a bigger issue

In the current threat landscape, a number of malvertising attacks come from low-quality traffic and shady ad networks. Through the digital advertising ecosystem, threat actors can yield the maximum number of infections. Such campaigns will continue with new and evolving tactics, and therefore, security professionals are recommended to stay alert about such attacks.

Cyware Publisher

Publisher

Cyware