For some time, the Infoblox Threat Intelligence Group has been tracking a malvertising network (the “Omnatuor Malvertising Network”) that not only abuses push notifications, pop-ups, and redirects within a browser but continues to serve ads even after the user navigates away from the initial page. Omnatuor has been dismissed by the security community as adware, a label that implies the activity is largely a nuisance. This naive response underestimates the danger of the potential threat posed by malvertising in general, and the Omnatuor actor in particular. In addition to its ability to persist, the network delivers dangerous content.
Infobox has discovered and begun tracking multiple malvertising networks with a very broad reach into the consumer environment. They obtain this reach by locating and compromising massive numbers of web pages across the Internet and then relying on the tendency of users to click the accept buttons on pop-ups without carefully examining the notifications. We recently published an in-depth report about one of these actors and their network we call VexTrio.
The Omnatuor actor, like the VexTrio actor, takes advantage of WordPress vulnerabilities and is effective at spreading riskware, spyware, and adware. Also like the VexTrio actor, the Omnatuor actor uses an extensive infrastructure and has a broad reach into networks across the globe. We found over 9,900 domains and 170 IP addresses related to the original “seed” domain, omnatuor[.]com. Unlike the VexTrio actor, the Omnatuor actor uses a clever technique to achieve persistence across a user’s browsing patterns.
This report will provide detailed information about the actor’s techniques, tactics, and procedures (TTP). We detail the infrastructure, scope of activity, attack chain, preventative measures and remediation and, finally, indicators of compromise (IOCs). We have included a sample of these IOCs at the end of this report; for the complete list, see our GitHub repository. Watch this podcast episode of ThreatTalk to learn more about the Omnatour network, phishing and malvertising.