According to The Media Trust’s Digital Security & Operations (DSO) team, iPhone users have been targeted by a
“Named Krampus-3PC1 by the DSO, this unique malware delivered the payload using a multi-stage redirect mechanism and two obfuscation methods to evade conventional scanning and blocking tools.” reads the analysis published by the DSO experts. “While most malicious campaigns use one method of redirection, Krampus-3PC employed a backup method to ensure users were redirected to the fraudulent popup masquerading as a global grocery store reward ad.”
The Krampus-3PC malware is able to harvest the users’ session and cookie information allowing the attackers to log into their
If the visitors click on the grocery store ad, they are redirected to a phishing page in the attempt to trick users to enter their personal information.
“The malware was able to retrieve not only whatever information users entered but also their phone numbers, which were later used for phishing texts, and cookie IDs,” continues DSO “The cookie ID enabled Krampus-3PC to hijack the browser, and – if the user had other sites like their bank or favorite online retailer open on their device – gain access to the user’s account. Access to a session cookie would enable the
Krampus-3PC evaded scanners and blockers leveraging on a heavy obfuscation.
The attackers first placed an ad to be distributed via the Adtechstack
Once a reader visited a site and the compromised ad’s creative tag was loaded, Krampus-3PC unpacked th
If the above checks were satisfied, the malware injected the malicious script that triggered additional checks to determine if the device was an iPhone.
“If the results were positive, Krampus-3PC built and executed the payload URL—boostsea2—and sent user data to the C&C server. This payload URL hijacked the browser, replacing the page address in order to redirect users to the phony reward popup.” continues the analysis. “If the redirection failed, it used the backup method, loading the malicious URL onto another tab. The URL would continue to open and load onto a new tab the redirection succeeded.”
Once all the checks are met, the user was redirected to malicious popups in the attempt to harvest users’ data.
At the time, Media Trust did not reveal the name the affected publishers.
(SecurityAffairs – Iran, hacking)