Rectifyq📃Title: Decoding ScamClub’s Malicious VAST Attack
📅Date: 2024-03-13
🔗References:
Description
A recent report details how a threat actor known as ScamClub has shifted to using video malvertising and VAST ads to distribute financial scams. The report analyzes ScamClub’s tactics, which involve exploiting the VAST protocol to embed malicious code in video ads that fingerprint users and redirect them to scam pages. The report highlights how ScamClub has infiltrated numerous ad platforms to reach a broad audience, with a focus on mobile users. It outlines the technical details of the attack flow, from crafting the malicious script to employing obfuscation techniques and evading detection. The report underscores the need for constant scanning of video assets to safeguard inventory and protect audiences.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: campaign-analysis
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“United States”
- target-information=“Canada”
- target-information=“United Kingdom”
- target-information=“Germany”
- target-information=“Malaysia”
- threat-actor ScamClub
- mitre-attack-pattern=[‘T1557’, ‘T1133’, ‘T1564’, ‘T1140’, ‘T1190’, ‘T1036’, ‘T1055’, ‘T1568’, ‘T1542’, ‘T1497’, ‘T1566’, ‘T1559’, ‘T1571’, ‘T1027’, ‘T1553’, ‘T1573’, ‘T1132’, ‘T1588’, ‘T1529’]
MISP event uuid: 31bee8fd-1453-4ea8-8d71-b296938eeec3
Indicator of Compromise (IoCs)
type,value,comment
md5, 0579587625b92f9ef09c7753e1acf217, 'No sample in VT\r\nLast check:22/02/2025'
url, https://trackmenow.life/vtag/ft1.js?VUHa=1&HXbwq=1h8t5&bMit=1j9qylF2mOrq&VVXO=781c6a2553149ab83c561f10a2151&dWiq=allnovel.net&TAcZ=adsgard-cpm-rtb-vo&upiOi=, ''
hostname, bn-vdo.azureedge.net, ''
hostname, doazcw5q3y88m.cloudfront.net, ''
hostname, ftder.azureedge.net, ''
hostname, livd.azureedge.net, ''
hostname, v-fa.azureedge.net, ''
hostname, v3-ky.azureedge.net, ''
hostname, vo-av.azureedge.net, ''
hostname, zr-vd.azureedge.net, ''
hostname, d3i45xa0npwdkr.cloudfront.net, ''
domain, trackmenow.life, ''
Full IOCs available in Rectifyq's MISP```