Ingenious Krampus-3PC malware targets iPhone users

Read time 3min 30sec

A new malicious campaign affecting iPhone users of more than 100 publisher Web sites has been discovered by The Media Trust’s digital security & operations team.

Dubbed Krampus-3PC, which stands for third-party code, this malware delivered its payload by employing a multi-stage redirect mechanism as well as two obfuscation methods to evade conventional scanning and blocking tools. The authors behind Krampus-3PC have ramped up at the start of the year’s busiest time for shopping, looking to gather as much user data as they could through the device itself and adtech provider Adtechstack2.

While most malicious campaigns use one method of redirection, Krampus-3PC employed a backup method to ensure users were redirected to the fraudulent popup masquerading as a global grocery store reward ad. Moreover, the malware gobbled up user-session information, including cookies from a widely used adtech vendor, enabling bad actors to log into users’ various online accounts.

Mobile devices make up approximately 50% of Internet traffic and are with most of us wherever we go, said The Media Trust. They offer a wealth of consumer data not found in desktops, such as geolocation, call records, the majority of users’ Internet searches, and online purchases, just for starters.

The authors had also designed the campaign to make use of Adtechstack’s campaign tag codes to gather the session information, such as cookie ID, Adtechstack banner data, the Web page’s local storage data, and sandbox presence.

“This information was then sent to the malware’s command and control (C&C) centre to signal that the user’s device had passed all the checks for redirection,” the company explained. 

“The cookie ID enabled Krampus-3PC to hijack the browser and, if the user had other sites such as their bank or favourite online retailer open on their device, gain access to the user’s account. Access to a session cookie would enable the malvertiser to log in as that user at a later time.”

New, persistent techniques

According to the researchers, the attack also used new and persistent techniques. They first discovered Krampus-3PC in October, which was redirecting online readers of UK publications to a fake grocery gift card advert. The attack continued throughout October and into November, spreading the malware to readers all over the world.

And although Krampus-3PC might have appeared like the average phishing campaign, visitors of a targeted Web site serving a compromised ad were redirected to a phishing page that prompted them to enter personally identifiable information. 

Behind the scenes, a series of rapid-fire activities were taking place, to guarantee that users were successfully compromised even as publishers and the adtech company they worked with used popular malware blockers. 

The malware was able to retrieve not only whatever information users entered but also their phone numbers, which were later used for phishing texts, highlighting the sophistication of this malware.

Slipping through the net

Krampus-3PC was also designed to evade detection, as its authors scrambled and linked its code together to obfuscate the list of target publisher domains, the checks, and data harvesting activities. 

“Scanners, blockers, and even some experts looking for specific code patterns or malicious domains missed Krampus-3PC.

“Malvertisers exploit the digital ad supply chain’s speed, complexity, and anonymity, and conventional scanners and blockers are known entities that smart malware like Krampus-3PC, GhostCat-3PC, and ShapeShifter-3PC, among others, can easily identify and avoid,” the researchers said.

To shield their users from today’s innovative attacks, publishers should use the digital supply chain, particularly trusted digital partners, to keep partners that have a track record of delivering malicious campaigns out of their sites. They should also make use of phantom scanning for ad tags and Web sites, a process that remains invisible to the malware, the company advises.

Login with