The threat actor known as Vane Viper has been outed as a purveyor of malicious ad technology (adtech), while relying on a tangled web of shell companies and opaque ownership structures to deliberately evade responsibility.
“Vane Viper has provided core infrastructure in widespread malvertising, ad fraud, and cyberthreat proliferation for at least a decade,” Infoblox said in a technical report published last week in collaboration with Guardio and Confiant.
“Vane Viper not only brokers traffic for malware droppers and phishers, but appears to run their own campaigns, consistent with previously documented ad-fraud techniques.”
Vane Viper, also called Omnatuor, was previously documented by the DNS threat intelligence firm in August 2022, describing it as a malvertising network akin to VexTrio Viper that takes advantage of vulnerable WordPress sites to build a massive network of compromised domains and use them to spread riskware, spyware, and adware.
One of the notable aspects of the threat actor’s persistence techniques is the abuse of push notification permissions to serve ads even after the user navigates away from the initial page by altering browser settings. This approach relies on service workers, which maintain a persistent headless browser process to listen for events and serve unwanted notifications.
Late last year, Guardio Labs laid bare a campaign dubbed DeceptionAds that was found to leverage Vane Viper’s malicious ad network to facilitate ClickFix-style social engineering campaigns. The activity was attributed to a company named Monetag, which, according to Infoblox, is a subsidiary of PropellerAds, a commercial ad technology company that, in turn, is a subsidiary of AdTech Holding, a holding company based in Cyprus.
Domains linked to ProperllerAds have long been flagged for facilitating malvertising campaigns and driving traffic to exploit kits or other fraudulent sites. Further analysis has uncovered evidence suggesting that several ad-fraud campaigns have originated from infrastructure attributed to PropellerAds.
The cybersecurity company said Vane Viper has accounted for about 1 trillion DNS queries over the past year in about half of its customer networks, adding the threat actor takes advantage of hundreds of thousands of compromised websites and malicious ads that redirect unsuspecting site users to malicious browser extensions, fake shopping sites, adult content, survey scams, fake apps, sketchy software downloads, and malware, including an Android malware called Triada in one case.
What’s more, Vane Viper appears to share infrastructure and personnel ties with URL Solutions (aka Pananames), Webzilla, and XBT Holdings, with the former also linked to disinformation sites set up by a Russian influence operation called Doppelgänger. Some of the other companies owned by AdTech Holding include ProPushMe, Zeydoo, Notix, and Adex.
About 60,000 domains are…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
