A new malware campaign dubbed Krampus-3PC targets iPhone users has impacted more than 100 UK news publisher and magazine websites. The users who visited those infected publication websites are redirected to fake grocery ads page.
The malware campaigns mount up at the time of the busiest shopping season and the campaign primarily targets the iPhone users and tries to exfiltrate a huge amount of user data.
Krampus, a horned, anthropomorphic figure described as “half-goat, half-demon” cult of Central European folklore.
He is notorious for punishing the misbehaving children during the Christmas season. He is in contrast with Saint Nicholas, who rewards the well-behaved with gifts. In Europe, Krampus is often depicted as one of the companions of Saint Nicholas during the Christmas season.
“Krampus’s name is derived from the German word krampen, meaning claw, and is said to be the son of Hel in Norse mythology. The legendary beast also shares characteristics with other scary, demonic creatures in Greek mythology, including satyrs and fauns,” explains National Geographic.
How Krampus-3PC attacks iPhones
- To infect the targets, developers of Krampus-3PC malware campaign utilized the shopping season when everyone looks forward to never-before-available deals.
- In the first stage of the attack, Krampus-3PC sends a fraudulent popup message in the victims’ iPhone, camouflaging as a reward advertisement or fake gift-card advertisement of a grocery store.
- Once the victim clicks on the awards link URL of the impersonated grocery store page, the malware opens a phishing page and asks the victim for a few personal information.
- While the victim inputs their personal credentials. The malware checks in the device, whether it has been infected already.
- The malware sends this information with victims’ personal number back to the hacker for launching more phishing attacks at a later stage. They also collect user session and cookie information and later log into their various social media and online bank accounts.
- The hacker pushes an advertisement through the Adtechstack adtech provider, and later they injected malicious codes into their APIs.
- The advertisement claims to come from a global technology company and to lure the victims’, with featuring a renowned brand.
- The malware checks if the device was an iPhone by finding out if the graphic reader vendor was “Apple” and the font style within the browser “style weight small caps”. If the results were positive, Krampus-3PC built and executed the payload URL.
- This payload URL later hijacks the browser by replacing the page URL to redirect users to the reward popup. If the redirection failed, it loads the malicious URL onto another tab. The URL would continue to open and load onto a new tab until the redirection succeeds.
Krampus-3PC Malware Campaign
It is a unique malware and it employes a multi-stage redirect mechanism and two obfuscation methods to evade detection.
One method is to redirect the user to a malicious website and the backup method to ensure the user redirected to a fraudulent popup mimic grocery store.
Also, the malware steals user-session information including cookies, country, tag, Sandbox presence, Webpage’s local storage data and Adtechstack banner data.
The Media Trust’s Digital Security & Operations (DSO) observed the malicious operation starting from October redirecting online readers of UK publications to a fake grocery gift card.
Two Phases of Checks
The malware was designed two conduct two phases of checks, at the first stage once the reader reaches the publication website it checks that the ad was hosted by Adtechstack and the ad was running on a targeted publisher.
In phase two it checks the user device was an iPhone “by finding out if the graphic reader vendor was “Apple” and the font style within the browser “style weight small caps”.
If the malware detects the user device is iPhone then send the user data to the C&C server and executes a payload URL that hijacks the address and redirects users to phony reward popup, if the redirection fails then it loads the phony reward popup by opening a new tab.
Media Trust’s Digital Security & Operations (DSO) not provided any details about the affected published of the attack.
What payload does Krampus-3PC drop onto iPhone users?
iPhone users browsing these sites and viewing these badverts would be attacked without any user interaction being required. As soon as the creative tag from the malicious advert was loaded, Krampus-3PC performed multiple checks to ensure the ad was being hosted and published according to its needs.
It then injected a malicious script to trigger the second stage of checking.
This confirmed if the browsing device was an iPhone before executing the payload URL. Only iPhone users got served this payload that redirected them to a malicious “reward” popup.
If this failed, the persistence of Krampus-3PC took hold and triggered a secondary method of loading the payload URL into another browser tab.
By hoovering up user session data, including cookie ID, Krampus-3PC could hijack the browser.
“If the user had other sites like their bank or favorite online retailer open,” the Media Trust DSO report stated, then Krampus-3PC could “gain access to the user’s account.”
