An ongoing malvertising campaign is compromising Revive ad servers in order to deliver malicious advertising to unsuspecting users, according to a recent report from cyber-security firm Confiant.
Revive Adserver is a free, open source ad server system, which is used by owners of individual websites, publishers of multiple websites, ad networks, advertising agencies, or advertisers.
In the recent months Confiant researchers detected a wave of malvertisements that are attached to Revive creatives spanning dozens of instances of ad servers, including those owned and operated by publishers and ad networks.
In the campaign a threat actor dubbed Tag Barnacle is targeting Revive installations by injecting an obfuscated Javascript payload that gives the hackers the ability to hijack and display their own ads. Those ads are typically for sites offering malware such as fraudulent Adobe Flash updates.
Confiant said it identified around 60 compromised Revive ad servers. The Tag Barnacle group’s activity was observed on over 360 web properties, but the researchers estimate that the number of impacted websites might be much higher given that some of the hacked ad servers have deep RTB integrations with multiple ad exchanges.
“If we take a look at the volumes behind just one of the compromised RTB ad servers — we see spikes of up to 1.25MM affected ad impressions in a single day,” the researchers said.
“We initially started investigating the attribution of ad serving elements between the Tag Barnakle payloads in early March of 2020. Notable spikes in their activity were observed during the “peak” holiday advertising season of late 2019.
During a retrospective analysis, we have found examples of the attacker in our telemetry dating back to August 2019, showing at least 8 months of consistent malvertising activity that continues today,” Confiant added.