{ "Event": { "analysis": "1", "date": "2024-03-13", "extends_uuid": "", "info": "[Threat Intel] Decoding ScamClub\u2019s Malicious VAST Attack", "protected": false, "publish_timestamp": "1780039404", "published": true, "threat_level_id": "3", "timestamp": "1772901937", "uuid": "31bee8fd-1453-4ea8-8d71-b296938eeec3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"self-curated\"", "relationship_type": "" }, { "colour": "#e96364", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Adversary-in-the-Middle - T1557\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#e76389", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1564\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#bf6f24", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic Resolution - T1568\"", "relationship_type": "" }, { "colour": "#e7980c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Pre-OS Boot - T1542\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#52486a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inter-Process Communication - T1559\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#3b33aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Subvert Trust Controls - T1553\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#251b6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obtain Capabilities - T1588\"", "relationship_type": "" }, { "colour": "#cda89b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ScamClub\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740232565", "to_ids": false, "type": "link", "uuid": "ffa0aa6d-a4a2-40aa-a8bb-5a5c4d2625ae", "value": "https://www.geoedge.com/decoding-scamclubs-malicious-vast-attack", "Tag": [ { "colour": "#6b003a", "local": false, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736662717", "to_ids": false, "type": "text", "uuid": "cff9a235-caa1-41c4-bc72-2ccfc6548455", "value": "A recent report details how a threat actor known as ScamClub has shifted to using video malvertising and VAST ads to distribute financial scams. The report analyzes ScamClub's tactics, which involve exploiting the VAST protocol to embed malicious code in video ads that fingerprint users and redirect them to scam pages. The report highlights how ScamClub has infiltrated numerous ad platforms to reach a broad audience, with a focus on mobile users. It outlines the technical details of the attack flow, from crafting the malicious script to employing obfuscation techniques and evading detection. The report underscores the need for constant scanning of video assets to safeguard inventory and protect audiences." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736662717", "to_ids": false, "type": "text", "uuid": "a351cc12-3b8c-4cf7-be21-a0dc6f503dc8", "value": "Name: Decoding ScamClub\u2019s Malicious VAST Attack\nAuthor: AlienVault\nAdversary: ScamClub\nTags: [\"malvertising\", \"ScamClub\", \"VAST\"]\nTgtd countries: [\"United States of America\", \"Canada\", \"United Kingdom of Great Britain and Northern Ireland\", \"Germany\", \"Malaysia\"]\nMlwr families: []\nAttack_ids: [\"T1557\", \"T1133\", \"T1564\", \"T1140\", \"T1190\", \"T1036\", \"T1055\", \"T1568\", \"T1542\", \"T1497\", \"T1566\", \"T1559\", \"T1571\", \"T1027\", \"T1553\", \"T1573\", \"T1132\", \"T1588\", \"T1529\"]\nIndustries: [\"Technology\", \"Telecommunications\", \"Media\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736662717", "to_ids": false, "type": "threat-actor", "uuid": "09dab1ab-7a86-4ab6-afc1-6922b6b841f8", "value": "ScamClub" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:22/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740235476", "to_ids": true, "type": "md5", "uuid": "c302e56a-746d-47af-9526-2a6220013711", "value": "0579587625b92f9ef09c7753e1acf217", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236004", "to_ids": true, "type": "url", "uuid": "b466f538-6d98-4769-b0cc-8bcb84e71ad6", "value": "https://trackmenow.life/vtag/ft1.js?VUHa=1&HXbwq=1h8t5&bMit=1j9qylF2mOrq&VVXO=781c6a2553149ab83c561f10a2151&dWiq=allnovel.net&TAcZ=adsgard-cpm-rtb-vo&upiOi=", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236026", "to_ids": true, "type": "hostname", "uuid": "6a336c00-ddfb-4bf2-b9dc-90ff7a20e374", "value": "bn-vdo.azureedge.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236048", "to_ids": true, "type": "hostname", "uuid": "3854ebff-eb69-49db-a14f-2692811f6287", "value": "doazcw5q3y88m.cloudfront.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236070", "to_ids": true, "type": "hostname", "uuid": "607dd1bf-02f5-4b9f-b8a6-dcfead43b47d", "value": "ftder.azureedge.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236092", "to_ids": true, "type": "hostname", "uuid": "8bb2a939-8c4a-43cd-84ac-f8edd30c12d4", "value": "livd.azureedge.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236115", "to_ids": true, "type": "hostname", "uuid": "34e412df-1b33-4b83-84ed-b514759ec8e7", "value": "v-fa.azureedge.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236136", "to_ids": true, "type": "hostname", "uuid": "2a33930b-d0bd-48b4-bbdd-bb47b7375744", "value": "v3-ky.azureedge.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236158", "to_ids": true, "type": "hostname", "uuid": "24da23c0-ad31-4d92-a15b-800547957bfd", "value": "vo-av.azureedge.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236181", "to_ids": true, "type": "hostname", "uuid": "1086a112-0fda-4742-a955-aa23d10caee5", "value": "zr-vd.azureedge.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236203", "to_ids": true, "type": "hostname", "uuid": "c8212c15-3167-4edd-ad2a-a4b7be4a422f", "value": "d3i45xa0npwdkr.cloudfront.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740236225", "to_ids": true, "type": "domain", "uuid": "b3d4d2f0-1e6d-4940-adb7-ab5f9e5ce183", "value": "trackmenow.life", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }