Ars Technica utilized in malware marketing campaign with never-before-seen obfuscation

Photo of author

By Calvin S. Nelson

Getty Photographs

Ars Technica was not too long ago used to serve second-stage malware in a marketing campaign that used a never-before-seen assault chain to cleverly cowl its tracks, researchers from safety agency Mandiant reported Tuesday.

A benign picture of a pizza was uploaded to a third-party web site and was then linked with a URL pasted into the “about” web page of a registered Ars consumer. Buried in that URL was a string of characters that gave the impression to be random—however have been really a payload. The marketing campaign additionally focused the video-sharing web site Vimeo, the place a benign video was uploaded and a malicious string was included within the video description. The string was generated utilizing a method generally known as Base 64 encoding. Base 64 converts textual content right into a printable ASCII string format to characterize binary information. Gadgets already contaminated with the first-stage malware used within the marketing campaign mechanically retrieved these strings and put in the second stage.

Not usually seen

“It is a completely different and novel manner we’re seeing abuse that may be fairly onerous to detect,” Mandiant researcher Yash Gupta mentioned in an interview. “That is one thing in malware we now have not usually seen. It’s fairly fascinating for us and one thing we needed to name out.”

The picture posted on Ars appeared within the about profile of a consumer who created an account on November 23. An Ars consultant mentioned the picture, exhibiting a pizza and captioned “I like pizza,” was eliminated by Ars workers on December 16 after being tipped off by electronic mail from an unknown social gathering. The Ars profile used an embedded URL that pointed to the picture, which was mechanically populated into the about web page. The malicious base 64 encoding appeared instantly following the authentic a part of the URL. The string didn’t generate any errors or forestall the web page from loading.

Pizza image posted by user.
Enlarge / Pizza picture posted by consumer.
Malicious string in URL.
Enlarge / Malicious string in URL.

Mandiant researchers mentioned there have been no penalties for individuals who might have considered the picture, both as displayed on the Ars web page or on the web site that hosted it. It’s additionally not clear that any Ars customers visited the about web page.

Gadgets that have been contaminated by the primary stage mechanically accessed the malicious string on the finish of the URL. From there, they have been contaminated with a second stage.

The video on Vimeo labored equally, besides that the string was included within the video description.

Ars representatives had nothing additional so as to add. Vimeo representatives didn’t instantly reply to an electronic mail.

The marketing campaign got here from a risk actor Mandiant tracks as UNC4990, which has been energetic since at the very least 2020 and bears the hallmarks of being motivated by monetary achieve. The group has already used a separate novel approach to fly beneath the radar. That approach unfold the second stage utilizing a textual content file that browsers and regular textual content editors confirmed to be clean.

Opening the identical file in a hex editor—a instrument for analyzing and forensically investigating binary information—confirmed {that a} mixture of tabs, areas, and new strains have been organized in a manner that encoded executable code. Just like the approach involving Ars and Vimeo, using such a file is one thing the Mandiant researchers had by no means seen earlier than. Beforehand, UNC4990 used GitHub and GitLab.

The preliminary stage of the malware was transmitted by contaminated USB drives. The drives put in a payload Mandiant has dubbed explorerps1. Contaminated units then mechanically reached out to both the malicious textual content file or else to the URL posted on Ars or the video posted to Vimeo. The bottom 64 strings within the picture URL or video description, in flip, induced the malware to contact a web site internet hosting the second stage. The second stage of the malware, tracked as Emptyspace, constantly polled a command-and-control server that, when instructed, would obtain and execute a 3rd stage.


Mandiant has noticed the set up of this third stage in just one case. This malware acts as a backdoor the researchers observe as Quietboard. The backdoor, in that case, went on to put in a cryptocurrency miner.

Anybody who is anxious they might have been contaminated by any of the malware lined by Mandiant can examine the symptoms of compromise part in Tuesday’s publish.

Leave a Comment