{"id":7908,"date":"2022-08-15T16:21:08","date_gmt":"2022-08-15T23:21:08","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7908"},"modified":"2024-04-26T13:20:02","modified_gmt":"2024-04-26T20:20:02","slug":"vast-malvertising-network-hijacks-browser-settings-to-spread-riskware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/","title":{"rendered":"Vast Malvertising Network Hijacks Browser Settings to Spread Riskware"},"content":{"rendered":"<h3>Author: Chance Tudor<\/h3>\n<p>&nbsp;<\/p>\n<h3>Summary<\/h3>\n<p>For some time, the Infoblox Threat Intelligence Group has been tracking a malvertising network (the \u201cOmnatuor Malvertising Network\u201d) that not only abuses push notifications, pop-ups, and redirects within a browser but continues to serve ads even after the user navigates away from the initial page. Omnatuor has been dismissed by the security community as adware, a label that implies the activity is largely a nuisance. This naive response underestimates the danger of the potential threat posed by malvertising in general, and the Omnatuor actor in particular. In addition to its ability to persist, the network delivers dangerous content.<\/p>\n<p>Infobox has discovered and begun tracking multiple malvertising networks with a very broad reach into the consumer environment. They obtain this reach by locating and compromising massive numbers of web pages across the Internet and then relying on the tendency of users to click the accept buttons on pop-ups without carefully examining the notifications. We recently published an in-depth report about one of these actors and their network we call VexTrio.<sup>1<\/sup> The Omnatuor actor, like the VexTrio actor, takes advantage of WordPress vulnerabilities and is effective at spreading riskware, spyware, and adware. Also like the VexTrio actor, the Omnatuor actor uses an extensive infrastructure and has a broad reach into networks across the globe. We found over 9,900 domains and 170 IP addresses related to the original \u201cseed\u201d domain, omnatuor[.]com. Unlike the VexTrio actor, the Omnatuor actor uses a clever technique to achieve persistence across a user\u2019s browsing patterns.<\/p>\n<p>This report will provide detailed information about the actor\u2019s techniques, tactics, and procedures (TTP). We detail the infrastructure, scope of activity, attack chain, preventative measures and remediation and, finally, indicators of compromise (IOCs). We have included a sample of these IOCs at the end of this report; for the complete list, see our GitHub repository.<sup>2<\/sup><\/p>\n<p>Watch <a href=\"https:\/\/insights.infoblox.com\/podcasts-season-3\/threattalk-episode-15-a-researchers-story-uncovering-the-omnatour-malvertising-network\" rel=\"noopener\" target=\"_blank\">this<\/a> podcast episode of ThreatTalk to learn more about the Omnatour network, phishing and malvertising.<br \/>\n<script type=\"text\/javascript\" async src=\"https:\/\/play.vidyard.com\/embed\/v4.js\"><\/script><br \/>\n<img decoding=\"async\"\n  style=\"width: 100%; margin: auto; display: block;\"\n  class=\"vidyard-player-embed\"\n  src=\"https:\/\/play.vidyard.com\/YsMvpsunCKzLr4cZp8eRnq.jpg\"\n  data-uuid=\"YsMvpsunCKzLr4cZp8eRnq\"\n  data-v=\"4\"\n  data-type=\"inline\"\n\/><\/p>\n<h3>Discovery<\/h3>\n<p>Our research into the Omnatuor Malvertising Network began with the discovery of an initial domain, omnatuor[.]com. The prevalence of this domain and the number of queries across many networks raised our attention. Highly popular domains are usually related to common applications and services (such as Outlook and Google), content distribution networks, and ad networks. The Omnatuor domain has suspiciously high breadth and query volumes. An initial look into WHOIS data revealed the domain was created on 12 July 2021. Since being registered it was present in 45% to 48% of all customer networks and surpassed 50% at various times, as shown in Figure 1.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/infoblox-blog-vast-malvertising-1.png\" \/><br \/>\nFigure 1. Omnatuor[.]com saturation across Infoblox networks following registration in July 2021.<\/p>\n<p>Most networks contained tens, if not hundreds, of thousands of queries for the domain. From July 2021 to July 2022, we observed just over 25.4 million unique, resolved queries to omnatuor[.]com. To discover new domains related to omnatuor[.]com, we used passive DNS (pDNS) data; leveraged open-source forum posts involving at least one previously discovered domain or IP address; checked domain, file, and IP relationships by using URLScan (urlscan[.]io), VirusTotal (virustotal[.]com), and other open-source tools; and used virtual machines to explore websites that we knew to be infected with an adware script. In the course of our research, we found over 9,900 domains and 170 IP addresses comprising the Omnatuor Malvertising Network.<\/p>\n<p>We utilized our previous research on domain-ranking systems and our internal ranking system, InfoRanks, to gain further perspective on the impact of not just omnatuor[.]com but the full Omnatuor Malvertising Network.<sup>3,4<\/sup> We wanted to see just how popular the domains within this network had become in comparison to well-known websites. We took a random sample of nearly 700 domains from the pool of 9,900 and averaged their ranking in our aggregate data over 5 months. We then took all the malvertising domains in our sample and plotted them amongst other popular domains (whose popularity is based on InfoRanks). Figure 2 illustrates that in terms of the query count, the malvertising domains\u2019 relative popularity (in red) rivaled that of other well-known websites ranked within the top 10,000 most popular domains.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/infoblox-blog-vast-malvertising-2.png\" \/><br \/>\nFigure 2. Omnatuor Malvertising Network domains ranked relative to other popular (measured via InfoRanks) domains.<\/p>\n<p>We designate any domain with an average ranking of 20,000 or less as quite popular, and any domain with an average ranking of 5,000 or less as very popular. According to our analysis, omnatuor[.]com was not only in the top 2,000 most popular domains but ranked higher than zoom[.]com over a period of five months. This is due to the prevalence of the actor\u2019s infrastructure and the actor\u2019s use of resolutions with a time-to-live value of zero seconds, which helps avoid the DNS cache.<\/p>\n<h3>Infrastructure<\/h3>\n<p>Several key factors related to the domains helped uncover the infrastructure. First, most of the domains were on one of two IP networks: 139.45.0.0\/16 and 188.42.0.0\/16. At this time, the Autonomous System Numbers (ASNs) for the networks are 9002 and 35415, respectively. ASN 35415 was present in two open-source lists of bad ASNs.<sup>5,6<\/sup> RETN, Limited provided the infrastructure for the 139.45.0.0\/16 network, and WebZilla provided the infrastructure for the 188.42.0.0\/16 network. A Cyprus-based \u201cadtech\u201d company owns the IP space that hosts the domains at the time of this report. A number of domains were hosted on one network before being switched to the other.<\/p>\n<p>Second, all domains used the same registrar, Pananames (formerly URL Solutions, Inc.), which is located in Panama and offers low-cost domain registration. Furthermore, each domain in the Omnatuor Malvertising Network utilized Pananames\u2019 WHOIS privacy services, greatly limiting the visibility into the actor. Pananames, like the owner of the IP space on which the Omnatuor Malvertising Network is hosted, has ties to Cyprus.<\/p>\n<p>Third, the vast majority of domains used Amazon Web Services nameservers (the actor used Amazon Route 53), and fewer than 20 domains were parked at bodis[.]com.. Each domain had a set of four different nameservers with the following structure (below, we use the regular expression syntax \u201c[0-9]+\u201d, which can be read as \u201cone or more digits\u201d):<\/p>\n<p>ns-[0-9]+.awsdns-[0-9]+.com<br \/>\nns-[0-9]+.awsdns-[0-9]+.net<br \/>\nns-[0-9]+.awsdns-[0-9]+.org<br \/>\nNs-[0-9]+.awsdns-[0-9]+.co.uk<\/p>\n<p>There was little repetition of nameservers across domains; one sample of 1,000 domains contained 1,716 different nameservers. The most often shared nameserver was ns-691[.]awsdns-22[.]net, and it had a count of nine.<\/p>\n<h3>Attack Chain<\/h3>\n<p>Figure 3 below shows the attack chain for domains in the Omnatuor Malvertising Network, which is similar to what we observed during our research and monitoring of threat activity centered around a dictionary domain generation algorithm (DDGA) actor we named VexTrio, which likewise distributes riskware, spyware, and adware.<sup>7<\/sup> We use language from the MITRE ATT&amp;CK Framework to describe the attack chain.<sup>8<\/sup><\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/infoblox-blog-vast-malvertising-3.png\" \/><br \/>\nFigure 3. The Omnatuor attack chain.<\/p>\n<h3>Attack Chain: Initial Access<\/h3>\n<p>In our research, we initially found a handful of web page titles, such as Remove Omnatuor.com pop-up ads (Virus Removal Guide) and posts on the Malwarebytes forum where users were complaining of incessant advertisements and of struggling to identify where their browsers were first infected. In spite of the prolific number of sites offering advice on how to remove the adware, we found no reporting in the security industry that recognizes either the threat posed by this network or the depth and breadth of its penetration.<\/p>\n<p>Older reports for similar attacks published by security vendors suggested that a cross-site scripting attack conducted via WordPress-specific malicious plugins (packaged as JavaScript or PHP code) might be the initial vector for contaminating sites.<sup>9,10<\/sup> In such a case, the actors scan WordPress sites for vulnerabilities by using well-documented open-source software or Google dorking.<sup>11<\/sup> Once the actors identify vulnerable sites, they inject into the body of the HTML an inline script that loads the adware remotely. We hypothesized that this might be the initial vector, too.<\/p>\n<p>To test our hypothesis, we did our own Google dorking and verified that cross-site scripting attacks were the initial vector. We found a number of WordPress sites containing similar inline scripts. These inline scripts contained domains previously known to us as being part of the Omnatuor Malvertising Network. Figure 4 below shows source code from a compromised WordPress website, including the injected script (inside the red box) with context (arrows pointing to WordPress artifacts).<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/infoblox-blog-vast-malvertising-4.png\" \/><br \/>\nFigure 4. The compromise embedded in a victimized website\u2019s source code.<\/p>\n<h3>Attack Chain: Execution<\/h3>\n<p>Once a site is compromised, the adware script is executed upon page load. The entirety of the adware script &#8211; including names of variables, functions and domains, and even whole strings &#8211; is obfuscated. The obfuscation process is involved, but as with all source code obfuscation, the weakest link is the encryption. In this case, the actors used poor technique. We saw actors use two versions of a Caesar cipher, which shifts the alphabet a certain number of characters. One version shifted letters by 12 characters, and the other shifted letters by 13.<br \/>\nOn page load, a function performs two steps to turn the code into runnable JavaScript:<\/p>\n<ol>\n<li>It checks for a single character or for double characters in an array and returns a string obfuscated via the Caesar cipher.<\/li>\n<li>It decrypts the obfuscated string into a machine-interpretable variable or value.<\/li>\n<\/ol>\n<p>After the adware script is loaded, the webpage begins to make callbacks to malvertising domains. Figure 5 contains a WireShark screenshot exemplifying the network connections to the malicious IP range after the adware script has been executed upon page load:<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/infoblox-blog-vast-malvertising-5.png\" \/><br \/>\nFigure 5. Network communication with the aforementioned malvertising C&amp;C IP network.<\/p>\n<p>The malvertising domains pass to the localhost JSON files containing redirect URLs, IDs for the ads, banners, trackers, and other information needed for the ad campaign. In a unique case, alongside two other Omnatuor-related malvertising domains, there was a JSON response containing a hardcoded BitRAT C&amp;C IP shown in Figure 6.<sup>12<\/sup> BitRAT, as the name implies, is a remote access trojan (RAT). It originally surfaced in 2020 as an inexpensive, yet powerful, RAT that not only supports \u201cgeneric keylogging, clipboard monitoring, webcam access, audio recording, credential theft from web browsers, and XMRig coin mining functionality\u201d but also has the potential to bypass user access control.<sup>13<\/sup> Whether there is a direct link between the spread of BitRAT and these malvertising domains is unclear, but the fact that a BitRAT C&amp;C IP is sent back to the localhost from a malvertising domain suggests that it poses a notable risk.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/infoblox-blog-vast-malvertising-6.png\" \/><br \/>\nFigure 6. JSON response containing a BitRat IP address, denoted as \u201ccustomParamsIp\u201d.<\/p>\n<h3>Attack Chain: Persistence<\/h3>\n<p>To maintain persistence, the actors must alter browser settings; to achieve this, they request the user to enable push notifications. If the user accepts the request, the actors modify the browser settings to allow the malvertising domains to send advertisements even after the user closes the browser window or goes to another site. Figure 7 shows an example of a push notification request.<\/p>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/infoblox-blog-vast-malvertising-7.png\" \/><br \/>\nFigure 7. A malicious push notification request.<\/p>\n<h3>Recommendations and Mitigation<\/h3>\n<p>This campaign compromises vulnerable WordPress sites through embedded malicious JavaScript or PHP code. The code redirects users or otherwise forces them to view and click malvertisements via pop-ups and push notifications. We recommend that users take the following preventive measures:<\/p>\n<ul>\n<li>Configure Infoblox\u2019s RPZ feeds in firewalls. This can stop the actors\u2019 attempts to connect at the DNS level, because all components described in this report (compromised websites, intermediary redirect domains, DDGA domains, and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox\u2019s RPZ feeds.<\/li>\n<li>To assist in blocking known malvertising efforts, leverage the GitHub repository of indicators associated with the Omnatour Malvertising Network.<sup>14<\/sup> Infoblox offers a sample of indicators in this article and will continue to update the GitHub repository as new indicators are discovered.<\/li>\n<li>Use an adblocker program, such as UBlock Origin.<sup>15<\/sup> The adware is delivered via an inline script, and blocking only the domains and IP addresses at a firewall or DNS level will not stop push notifications, redirects, or pop-ups. Because the DNS query cannot be completed, the contents of those vectors will not load; however, the browsing experience will still be interrupted.<\/li>\n<li>Disable JavaScript entirely, or use a web extension (such as NoScript) to enable JavaScript only on trusted sites.<\/li>\n<\/ul>\n<h3>Indicators of Compromise<\/h3>\n<p>The table below provides a sample list of the IOCs relevant to our recent findings. The complete list as of the time of this paper is found in our GitHub repository.<sup>16<\/sup><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Indicator<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr>\n<td>139[.]45[.]197[.]148<\/p>\n<p>139[.]45[.]197[.]247<\/p>\n<p>139[.]45[.]197[.]235<\/p>\n<p>139[.]45[.]197[.]234<\/p>\n<p>139[.]45[.]197[.]187<\/p>\n<p>139[.]45[.]197[.]186<\/p>\n<p>139[.]45[.]197[.]157<\/p>\n<p>139[.]45[.]197[.]148<\/p>\n<p>139[.]45[.]197[.]253<\/p>\n<p>139[.]45[.]197[.]152<\/p>\n<p>185[.]213[.]155[.]164<\/p>\n<p>188[.]42[.]224[.]59<\/p>\n<p>188[.]42[.]224[.]60<\/p>\n<p>188[.]42[.]224[.]61<\/p>\n<p>188[.]42[.]224[.]62<\/td>\n<td>Sample IP Addresses hosting the Omnatuor Malvertising Network Domains<\/td>\n<\/tr>\n<tr>\n<td>omnatuor[.]com<\/p>\n<p>choogeet[.]net<\/p>\n<p>eeksoabo[.]com<\/p>\n<p>ptidsezi[.]com<\/p>\n<p>uthounie[.]com<\/p>\n<p>ugyplysh[.]com<\/p>\n<p>agafurretor[.]com<\/p>\n<p>omphantumpom[.]com<\/p>\n<p>sendmepush[.]com<\/p>\n<p>sbscribeme[.]com<\/p>\n<p>pushanishe[.]com<\/p>\n<p>pblcpush[.]com<\/p>\n<p>publpush[.]com<\/p>\n<p>pushno[.]com<\/p>\n<p>pushlommy[.]com<\/p>\n<p>pushlat[.]com<\/p>\n<p>pushlaram[.]com<\/p>\n<p>pushazer[.]com<\/p>\n<p>pushame[.]com<\/p>\n<p>pushails[.]com<\/p>\n<p>ptoafauz[.]net<\/p>\n<p>ptauxofi[.]net<\/p>\n<p>inpage-push[.]net<\/p>\n<p>propu[.]sh<\/p>\n<p>aaudrowqxuaws[.]xyz<\/p>\n<p>vjnccncigyiapw[.]xyz<\/p>\n<p>qnnmyjnnaoohdv[.]xyz<\/td>\n<td>Sample of Omnatuor Malvertising Network Domains<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Endnotes<\/h3>\n<ol>\n<li><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/\" target=\"_blank\" rel=\"noopener\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/infobloxopen\/threat-intelligence\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/infobloxopen\/threat-intelligence<\/a><\/li>\n<li><a href=\"https:\/\/www.infoblox.com\/resources\/whitepaper\/inforanks-infoblox-ranking-service\" target=\"_blank\" rel=\"noopener\">https:\/\/www.infoblox.com\/resources\/whitepaper\/inforanks-infoblox-ranking-service<\/a><\/li>\n<li><a href=\"\/security\/inforanks-infoblox-rankings-give-insights-into-the-stability-of-a-domains-popularity\/\">https:\/\/blogs.infoblox.com\/security\/inforanks-infoblox-rankings-give-insights-into-the-stability-of-a-domains-popularity\/<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/brianhama\/bad-asn-list\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/brianhama\/bad-asn-list<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/LorenzoSapora\/bad-asn-list\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/LorenzoSapora\/bad-asn-list<\/a><\/li>\n<li><a href=\"\/cyber-threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/<\/a><\/li>\n<li><a href=\"https:\/\/www.crowdstrike.com\/cybersecurity-101\/mitre-attack-framework\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.crowdstrike.com\/cybersecurity-101\/mitre-attack-framework\/<\/a><\/li>\n<li><a href=\"https:\/\/prophaze.com\/web-application-firewall\/tracking-down-new-wordpress-popup-injection-malware\/\" target=\"_blank\" rel=\"noopener\">https:\/\/prophaze.com\/web-application-firewall\/tracking-down-new-wordpress-popup-injection-malware\/<\/a><\/li>\n<li><a href=\"https:\/\/www.getastra.com\/blog\/cms\/wordpress-security\/fix-push-notifications-malware\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.getastra.com\/blog\/cms\/wordpress-security\/fix-push-notifications-malware\/<\/a><\/li>\n<li><a href=\"https:\/\/developers.google.com\/search\/docs\/advanced\/debug\/search-operators\/overview\" target=\"_blank\" rel=\"noopener\">https:\/\/developers.google.com\/search\/docs\/advanced\/debug\/search-operators\/overview<\/a><\/li>\n<li><a href=\"https:\/\/threatfox.abuse.ch\/ioc\/395379\/\" target=\"_blank\" rel=\"noopener\">https:\/\/threatfox.abuse.ch\/ioc\/395379\/<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/bitrat-malware-now-spreading-as-a-windows-10-license-activator\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.bleepingcomputer.com\/news\/security\/bitrat-malware-now-spreading-as-a-windows-10-license-activator\/<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/infobloxopen\/threat-intelligence\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/infobloxopen\/threat-intelligence<\/a><\/li>\n<li><a href=\"https:\/\/ublockorigin.com\" target=\"_blank\" rel=\"noopener\">https:\/\/ublockorigin.com<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/infobloxopen\/threat-intelligence\/tree\/main\/cta_indicators\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/infobloxopen\/threat-intelligence\/tree\/main\/cta_indicators<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Chance Tudor &nbsp; Summary For some time, the Infoblox Threat Intelligence Group has been tracking a malvertising network (the \u201cOmnatuor Malvertising Network\u201d) that not only abuses push notifications, pop-ups, and redirects within a browser but continues to serve ads even after the user navigates away from the initial page. Omnatuor has been dismissed by [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6733,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[554],"tags":[505,738,735,737,736],"class_list":{"0":"post-7908","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-threat-advisory","8":"tag-adware","9":"tag-omnatuor","10":"tag-omnatuor-malvertising","11":"tag-riskware","12":"tag-spyware","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Omnatuor Malvertising Exploits Wordpress to Spread Riskware, Spyware &amp; Adware | Infoblox<\/title>\n<meta name=\"description\" content=\"The Omnatuor malvertising network uses a clever technique to persistently serve ads to users even if they navigate away from a page. Learn more in this article.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vast Malvertising Network Hijacks Browser Settings to Spread Riskware\" \/>\n<meta property=\"og:description\" content=\"The Omnatuor malvertising network uses a clever technique to persistently serve ads to users even if they navigate away from a page. Learn more in this article.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-15T23:21:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"344\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Vast Malvertising Network Hijacks Browser Settings to Spread Riskware\",\"datePublished\":\"2022-08-15T23:21:08+00:00\",\"dateModified\":\"2024-04-26T20:20:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/\"},\"wordCount\":2221,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"keywords\":[\"adware\",\"Omnatuor\",\"Omnatuor Malvertising\",\"Riskware\",\"Spyware\"],\"articleSection\":[\"Cyber Threat Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/\",\"name\":\"Omnatuor Malvertising Exploits Wordpress to Spread Riskware, Spyware & Adware | Infoblox\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"datePublished\":\"2022-08-15T23:21:08+00:00\",\"dateModified\":\"2024-04-26T20:20:02+00:00\",\"description\":\"The Omnatuor malvertising network uses a clever technique to persistently serve ads to users even if they navigate away from a page. Learn more in this article.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"width\":612,\"height\":344,\"caption\":\"computer screen with programming code and an alert message, concept of computer security, malware or hacker attack (3d render)\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-threat-advisory\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Vast Malvertising Network Hijacks Browser Settings to Spread Riskware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Omnatuor Malvertising Exploits Wordpress to Spread Riskware, Spyware & Adware | Infoblox","description":"The Omnatuor malvertising network uses a clever technique to persistently serve ads to users even if they navigate away from a page. Learn more in this article.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/","og_locale":"en_US","og_type":"article","og_title":"Vast Malvertising Network Hijacks Browser Settings to Spread Riskware","og_description":"The Omnatuor malvertising network uses a clever technique to persistently serve ads to users even if they navigate away from a page. Learn more in this article.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/","og_site_name":"Infoblox Blog","article_published_time":"2022-08-15T23:21:08+00:00","article_modified_time":"2024-04-26T20:20:02+00:00","og_image":[{"width":612,"height":344,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Vast Malvertising Network Hijacks Browser Settings to Spread Riskware","datePublished":"2022-08-15T23:21:08+00:00","dateModified":"2024-04-26T20:20:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/"},"wordCount":2221,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","keywords":["adware","Omnatuor","Omnatuor Malvertising","Riskware","Spyware"],"articleSection":["Cyber Threat Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/","name":"Omnatuor Malvertising Exploits Wordpress to Spread Riskware, Spyware & Adware | Infoblox","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","datePublished":"2022-08-15T23:21:08+00:00","dateModified":"2024-04-26T20:20:02+00:00","description":"The Omnatuor malvertising network uses a clever technique to persistently serve ads to users even if they navigate away from a page. Learn more in this article.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","width":612,"height":344,"caption":"computer screen with programming code and an alert message, concept of computer security, malware or hacker attack (3d render)"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-threat-advisory\/"},{"@type":"ListItem","position":4,"name":"Vast Malvertising Network Hijacks Browser Settings to Spread Riskware"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=7908"}],"version-history":[{"count":12,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7908\/revisions"}],"predecessor-version":[{"id":8016,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7908\/revisions\/8016"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6733"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=7908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=7908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=7908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}