Threat Management, Malware

RoughTed malvertising campaign bypassing ad blockers


With more than a half billion domains infected by the RoughTed malvertising operation, its effectiveness only continues to escalate, according to Jérôme Segura, lead malware intelligence analyst at Malwarebytes Labs, writing on the company blog.

While it peaked in March 2017, the scourge has been rolling out for more than a year with a dark cornucopia encompassing scams and exploit kits that go after a broad range of targets using their operating system, browser and geolocation to inject the appropriate payload, Segura wrote.

And its success in compromising systems lies in its sophisticated techniques that usurp control from victims and get around ad-blockers.

Exacerbating attempts to mitigate the threat is the bad actors' strategy for obfuscating their activity. They have been using the Amazon cloud infrastructure – in particular, its Content Delivery Network (CDN) – "while also blending in the noise with multiple ad redirections from several ad exchanges, making it more difficult to identify the source of their malvertising activity," Segura explained.

By exploiting fingerprinting and ad-blocker bypassing techniques upstream, the RoughTed campaign has polluted thousands of publishers, ensnaring more than half a billion visits in just the past three months. Once struck, it delivers a mix of payloads, including scams, exploit kits and malware.

Analysis by the Malwarebytes team detected that most of the domains used in the spread of RoughTed were created via the EvoPlus registrar in small batches with a new .ru or .ua email address each time, Segura said. Each were being used as gateway intended to workaround ad-blockers.

The intention is to increase traffic on targeted websites via streaming video or file sharing sites associated with URL shorteners – sites popular with bad actors because of their lax security.

For example, particularly invasive code embedded in RoughTed uses fingerprinting techniques that can profile users "and identify those that may be cheating the system by lying about their browser or geolocation," Segura explained.

And, the malvertising is agnostic when it comes to browsers and operating systems. It can deliver payloads to Mac users too through fake Flash Player updates.

Segura urges that no matter the platform or browser you use to be careful when downloading extensions or software from third-party distributors.

And, the miscreants behind RoughTed are infecting mobile platforms as well, iOS and Android, by delivering their malvertising through automated redirects to a number of random apps that deliver commissions to them on each install.

Obfuscated code with a RoughTed domain ( was also detected in at least one tech support scam observed in France, Segura pointed out.

As far as exploit kits involved, most of those targeted by RoughTed malvertising campaigns were in the U.S. and Canada, followed by the U.K., Italy, Spain and Brazil.

"Malvertising may look easy on the surface but is actually a much more complex and deep-rooted issue," Segura said. The traditional solution has been to install ad-blockers, but the coders behinD RoughTed are clever in employing dynamically created scripts to force redirections that make their way past ad-blockers, he concluded.

When asked how the attackers continue to alter their code, Segura told SC Media on Thursday that threat actors are keenly aware of the tools and behaviors that may affect their chances of making a profit. "What we observed is a natural fight back to reach as large of an audience as possible."

As to what can be done to defend against RoughTed, Segura told SC that it is a good example of how diverse malvertising can be, for instance, serving scams or exploits. "That means users need to employ various types of protection to fend off those attacks, and it also shows that ad-blockers alone aren't enough."

One thing Segura and his team noticed early on was how this group went to great lengths to bypass ad-blockers and serve the most appropriate content for each potential victim. "Since more and more users are running an ad-blocker, the crooks had to find a way to still be able to distribute malicious ads, no matter what," he told SC

And, as far as what this new delivery method tells us about the coders, Segura explained that these threat actors are very motivated and, without a doubt, generating a lot of revenues from affiliate commissions. "We can only expect more aggressive techniques to force malicious code in new ways that can circumvent the basic tools people have become accustomed to using."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.