A threat actor known as Vane Viper is out as a provider of malicious advertising technology (ADTECH). Meanwhile, it relies on the tangled web and opaque ownership structure of shell companies to deliberately circumvent liability.
“Vane Viper has been providing core infrastructure for the spread of widespread fraud, AD fraud and cyber threats for at least 10 years,” Infoblox said in a technical report released last week in collaboration with Guardio and Confiant.
“It appears that Vane Viper is not only brokering malware droppers and fisher traffic, but also running its own campaign, consistent with previously documented ad fuller techniques.”
Vane Viper, also known as Omnatuor, was previously documented by DNS threat intelligence companies in August 2022 and described it as a rogue network similar to Vextrio Viper, which uses vulnerable WordPress sites to harness large networks of compromised domains to spread riskware, spyware and adware.
One notable aspect of threat actor persistence techniques is the abuse of push notification permissions to serve ads even after users change their browser settings and leave the initial page. This approach relies on service workers who maintain a permanent headless browser process to listen for events and provide unwanted notifications.
Late last year, Guardio Labs exposed a campaign called Deceptionads, which was found to leverage Vane Viper’s malicious ad network to promote Clickfix-style social engineering campaigns. The activity is attributed to a company named MoneTag, a commercial advertising technology company that is a subsidiary of PropellerAds, according to Infoblox, which is a subsidiary of AdTech Holding, a Cyprus-based holding company.
Domains linked to Properllerads have long been flagged to drive campaigns and drive traffic to leverage kits and other unauthorized sites. Further analysis reveals evidence suggesting that several AD-FRAUD campaigns arise from infrastructure caused by PropellerAds.
The cybersecurity company says Vane Viper has accounted for around 1 trillion DNS queries for about half its customer network over the past year, and threat actors will use hundreds of thousands of compromised websites and malicious ads to redirect unsuspecting site users to redirect malicious browser extensions, malicious browser extensions, including malicious browser input, including malicious Mallaws. In one case, it is called a Triada.
Additionally, Vane Viper appears to share the bond between infrastructure and HR with URL Solutions (Pananaam), Webzilla and XBT Holdings. The former is also linked to a disinformation site set up by a Russian influence operation called Doppelgänger. Other companies owned by Adtech Holding include Propushme, Zeydoo, Notix, and Adex.
Approximately 60,000 domains are rated as part of Vane Viper’s infrastructure, most of which remain active within a month. However, there are several domains that are active for more than 1,200 days, including the original Omnatuor.[.]com, propeller tracking[.]com and some others are centered around push notification services.
This operation is known to register a huge number of new domains each month and scale a high of 3,500 domains in October 2024 alone. This is a major jump from less than 500 domains registered in April 2023. Vane Viper domains account for almost 50% of bulk registration domains via URL solutions since 2023.
However, PropellerAds has previously denied fraud, saying it is “just an automated intermediary that helps advertisers find the best publisher to publish their ads,” and it “does not support, support or encourage malicious ads on the network.”
“Vane Viper isn’t just a threat actor hiding behind the Adtech platform,” Infoblox said. “This is a threat actor as an Adtech platform. AdtechHolding claims to provide reach and monetization to advertisers at scale, but that actually poses risk.”
“Vane Viper hides behind the plausible negativity of working as an ad network while using TD. [traffic distribution system] To pose multiple types of threats. ”
Source link
