Wandera uncovers new domains compromised by RoughTed malvertising variant

If you’ve been keeping up with your security news, you’ll know that RoughTed is the malvertising operation that has taken the enterprise world by storm.

With thousands of webpages and apps publishing the malvertisements and an estimated half billion hits for the campaign in the last three months, it is responsible for an outlandish number of malicious software downloads on employee devices.
Here at Wandera, our machine learning intelligence engine MI:RIAM has identified 10 zero-day domains that have hosted RoughTed malvertisements that have not yet been blocked by any security nor anti-virus scanner.
MI:RIAM was able to track down these domains thanks to her machine learning capabilities. She recognized the indicators of compromise (IOCs) of RoughTed within the URL web addresses of our enterprise customers’ mobile traffic, enabling our team to block the risky domains.

Malvertising explained

Malvertising is the practice of inserting malware and other malicious exploits into legitimate online ad networks to target a broad spectrum of end users. The ads appear to be perfectly normal, disguising themselves as everything from the latest multimedia software to the coolest new app download, and appear on a wide range of apps and webpages.
Once the user clicks on the ad, his or her device is immediately infected with the exploit. Unintentionally clicking an ad can happen much more easily than you might think, especially on a mobile device. Some more aggressive malvertisements for example, take up the entire screen of the device while the user is browsing the web. Faced with this situation, many users’ first response will be to touch the screen, triggering the malicious download.
The most frustrating aspect of this type of malware deployment is that the web page showing the malware ridden ad doesn’t necessarily have to be compromised in order to display it. Thanks to the seamless functionality of online advertising networks, these ads can silently broadcast themselves on legitimate, high-profile websites.
Malvertising also allows hackers to specifically target end users thanks to the granular profiling functionality now provided by most advertising networks.
You might think that your business is immune to malvertising campaigns. Many corporations have deployed ad-blocking security software to avoid this kind of content appearing on their devices. Unfortunately, hackers continue to find workarounds to security scanners and they have done so in the case of RoughTed.
RoughTed: the next generation of malvertising

RoughTed has recently becomes one of the most concerning names in malvertising thanks to its unique ability to obfuscate itself and work around ad-blockers.
Traditional anti-virus software detects malicious advertisements through the uncovering of compromised domains (e.g. www.website.com). Once the software identifies a domain as ‘malicious’ (hosting malvertisements) the anti-virus technology automatically blocks it. This usually is a very effective way to keep these dangerous ads out of users’ reach.
What the RoughTed attack manages to achieve is that every time one of the associated domains (linking to the IP where the malvertisements are hosted) is blocked, a new domain and web URL are generated in its place. This obviously makes the affected domains very difficult to track and is a major reason why we continue to see affected devices.

Unique findings

Within our global network of enterprise devices, MI:RIAM (using the RoughTed IOCs) detected malicious traffic coming from hundreds of individual domains, some of which are ranked in Alexa’s top 500 websites.
Many of these domains, however, have already been identified and blocked by other security software vendors. We can reveal 10 new domains that we’ve identified as ‘zero-day’. By this we mean that none of them have been recognized by any antivirus scanners, and we can confirm that each has been affected by RoughTed malvertisements.
They are as follows:

  1. fonderreaders.info
  2. dearerfonder.info
  3. absential.info
  4. chantly.info
  5. bookforest.biz
  6. canadasungam.net
  7. bookstorage.biz
  8. sunrisewebjo.link
  9. bookelement.biz
  10. skytemjo.link

Our threat detection team took the analysis one step further and identified the content categories of each domain that was affected by RoughTed and accessed by our global network of devices.
This provided us with some very interesting insights:

  • 20% of users who encountered RoughTed infected domains were accessing or redirected to webpages that help users gain illegal access to computers, content, networks and more.
  • 15% of users who encountered RoughTed infected domains were accessing or redirected to webpages known to host suspect content based on specific web reputation vectors.
  • 11% of users who encountered RoughTed infected domains were accessing or redirected webpages hosting potentially pornographic content.
  • 7% of users who encountered RoughTed infected domains were accessing or redirected webpages hosting short clips (audio/video).
  • 5% of users who encountered RoughTed infected domains were accessing or redirected webpages hosting adult materials.
  • 3% of users who encountered RoughTed infected domains were accessing or redirected webpages that are known to host and/or distribute malware.

The reality

As stated above, the most frustrating aspect of this type of malvertising campaign is that it isn’t classifiable. As you can see only 3% of those domains users accessed that were infected with RoughTed were actually classified as hosting and/or distributing malware.
This is because the mobile sites themselves aren’t necessarily created to host malware. The malware simply slips through the cracks by taking the form of an advertisement on the website.
The takeaway from this analysis however is a positive one. Businesses can protect against these types of malicious advertising campaigns through the implementation of policy controls.
Over 60% of the domains RoughTed was found affecting were a part of content classification categories that should no doubt already be blocked on all corporate devices such as pornography, suspicious content, illegal content, phishing and malware hosting.
Setting RoughTed aside for a moment, the sites traditionally associated with these web content categories are known to host malware and other detrimental content. Blocking employees’ mobile devices from accessing them is key to keeping the mobile fleet secure.

However, the fact still remains, these categories only encompass 60% of infected domains. What about the other 40%? Administrators can’t simply block every content category RoughTed has historically affected. They’d be blocking news, games, education and even business mobile websites.
That’s where Wandera comes in. We are able to uncover domains that all traditional antivirus engines are currently missing with the help of our mobile intelligence engine MI:RIAM’s recognition of IOCs.
Regardless of the continuous proliferation of domains created by RoughTed, MI:RIAM will continue to recognize the indicators of compromise and block the malicious traffic in real-time.
Thanks to our unique web gateway architecture, once a RoughTed compromised URL is identified, we can actually block the malicious traffic from the website before it reaches the device. This ensures malware is never installed and therefore corporate data stored on enterprise devices is never put at risk.
RoughTed is the perfect example to illustrate the necessity of machine learning techniques in today’s continuously advancing mobile threat landscape.
[text-blocks id=”threat-advisories”]