{"id":7381,"date":"2025-02-20T12:18:05","date_gmt":"2025-02-20T18:18:05","guid":{"rendered":"https:\/\/www.threatstop.com\/blog\/they-will-do-anything-to-serve-you-ads-wont-they"},"modified":"2025-02-20T12:18:05","modified_gmt":"2025-02-20T18:18:05","slug":"they-will-do-anything-to-serve-you-ads-wont-they","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/20\/they-will-do-anything-to-serve-you-ads-wont-they\/","title":{"rendered":"They will do anything to serve you ads, won’t they?"},"content":{"rendered":"

Obfuscation in malware delivery has always been an effective trick in a cybercriminal\u2019s toolbox\u2014concealing the true intentions of code so it can slip past detection and remain hidden as long as possible. Recently, our ThreatSTOP Intelligence, Research, and Security (TIS) Team, uncovered a surge of traffic targeting IP 139.45.197.242<\/strong><\/span>, which telemetry shows is a primary hosting point for malicious domains serving heavily obfuscated pop-up\/pop-under scripts used in phishing campaigns.<\/p>\n

<\/p>\n

What We Found<\/strong><\/p>\n

Upon analyzing the malicious JavaScript, we discovered a large block of code, packed with deceptive function names, scrambled variables, and random string transformations. The purpose? Injecting forced pop-ups, redirects, and overlay ads that lead unsuspecting users to phishing pages or potentially malicious content. This stealthy approach helps attackers hide from conventional detection methods and frustrate would-be debuggers by throwing up multiple layers of obfuscation.<\/p>\n

We’re not going to include the code directly in the blog post, but we’ll post a screenshot of it so you can see, clearly, this is not meant to be figured out easily:<\/p>\n

\"Screenshot<\/p>\n

Here\u2019s a high-level look at what this code does:<\/p>\n

1. <\/span>Pop-Up and Redirect Logic<\/strong><\/p>\n

The script secretly rewrites links, hooking into user clicks to open pop-ups or forcibly redirect them to attacker-controlled sites.<\/p>\n

2. <\/span>Session and Click Tracking<\/strong><\/p>\n

The code stores data on how many times it has displayed an ad or forced a redirect, so it can pace itself\u2014thus avoiding immediate suspicion.<\/p>\n

3. <\/span>Anti-Debugging Tactics<\/strong><\/p>\n

By measuring function runtimes and checking for certain DevTools signatures, the script can alter its behavior or shut down if it detects a security analyst\u2019s presence.<\/p>\n

4. <\/span>Persistent Updates<\/strong><\/p>\n

The attacker regularly updates the code or domain endpoints. The IP we identified\u2014139.45.197.242<\/strong><\/span>\u2014hosts many of these domains, signaling a persistent campaign that pivots quickly when one host is blocked.  We’ll include the domains we’re seeing our telemetry at the appendix to the blog post.<\/p>\n

In the weeds<\/span>:<\/p>\n

In short, it is a pop\u2011up\/pop\u2011under\/redirect \u201cad loader\u201d script. It has a lot of logic to hook user clicks, bypass pop\u2010up blockers, track impressions, store information in cookies\/localStorage, and optionally detect if developer tools are open. The script is heavily obfuscated so that all of this ad\/redirect behavior is hidden under weird variable names and large inline data structures.<\/p>\n

High\u2010Level Behavior<\/span><\/p>\n

    1.    Environment & Feature Detection<\/span>
The script checks many environment details\u2014things like:
    \u2022    Whether the browser has certain plugins installed
    \u2022    Whether navigator or document includes certain properties
    \u2022    Whether the user might be in DevTools
    \u2022    Whether local or session storage is available
This is done to decide which \u201cpop\u2011under\u201d or \u201credirect\u201d technique will work best without being blocked.<\/p>\n

    2.    Setting Event Listeners<\/span>
It listens for user interactions (like click, mousedown, touchstart, etc.) on the page. Whenever the user first interacts, the script:
    \u2022    May open pop\u2010ups\/pop\u2010unders
    \u2022    May rewrite anchor tags (so a normal link becomes a forced pop\u2010up)
    \u2022    Often tries to do it on the \u201cfirst click\u201d or \u201cfirst valid click\u201d to get around modern browser restrictions.<\/p>\n

    3.    Pop\u2011Under and Redirect Logic<\/span>
There is elaborate logic for:
    \u2022    Pop\u2010under vs. pop\u2010up: picking which window\u2010opening approach to use
    \u2022    Interstitial flows: sometimes shows an interstitial ad if you click back or close a tab
    \u2022    \u201cOnCloseInterstitialUrl<\/code>\u201d or \u201csmart overlay\u201d references: hooking up overlay ads or full\u2010page pop\u2010ups
    \u2022    Checking if the user has already been shown a pop\u2010up (tracking via cookie or local storage) so it does not spam too many times.<\/p>\n

    4.    Session\/Click Counting<\/span>
You see code that increments click counts, sets timeouts, or reads\/writes \u201chow many times we have shown an ad.\u201d That\u2019s to limit (or sometimes ensure) a certain number of forced ads per session. For example, isImpressionAvailable or shouldImpressionBeCollected methods track the \u201csession counters\u201d or \u201cimpression counters.\u201d<\/p>\n

    5.    Prefetching Ad URLs<\/span>
It will sometimes \u201cprefetch\u201d an ad URL\u2014i.e. it sends a hidden request beforehand\u2014so that when you do click, it can redirect you more reliably. This helps avoid slow ad servers or pop\u2010up blockers.<\/p>\n

    6.    Obfuscation<\/span>
    \u2022    Dozens of single\u2010letter or two\u2010letter properties (e.g. V, rK, KK, jK<\/code>) that map to bizarre string constants
    \u2022    The script uses a big object\/dictionary that re\u2010maps short keys to strings or regex patterns.
    \u2022    A function like Pe(...)<\/code> or p(...)<\/code> that decodes\/munges strings at runtime.
    \u2022    Large \u201cenums\u201d stored in variables like mr, fr<\/code>, etc. that stand for different internal codes or status flags.<\/p>\n

    7.    Developer Tools \u201cAnti\u2010Debug\u201d<\/span>
There are references to getComputedStyle<\/code> checks, intervals, or code that times how long a function call took. This is typically used by ad scripts to see if someone has DevTools open (for example, certain properties read slower under breakpoint). If it detects that, it may abort or reduce functionality so the user can\u2019t easily debug or tamper with the script.<\/p>\n

    8.    Final Payload<\/span>
The very last line is a monstrous gibberish invocation:<\/p>\n

(\"c.#i6M.#.J.#.4.4Z#llBWi5oo6#i.)=ow.4.n65.Ge.x=K.x.T&M.Xo.|3.QW....\")<\/span><\/code><\/p>\n

That\u2019s basically a giant obfuscated string the script decodes or interprets to get its final config (domains, zone IDs, tracking parameters, etc.). The code near the top,<\/p>\n

(function(lczxsusin) {<\/span><\/code>
    ...<\/span><\/code>
})(\"c.#i6M.#.J.#.4.4Z#llBWi5oo6#i...)\"<\/span><\/code><\/p>\n

simply calls the whole \u201cengine\u201d with that big scrambled argument, so the script can set up its ad logic.<\/p>\n

What It\u2019s Actually Doing (In Plain Terms)
    \u2022    Primary Goal: Force the user\u2019s browser to open ads\u2014pop\u2010ups, pop\u2010unders, or forced redirects\u2014on the user\u2019s first click or on subsequent clicks.
    \u2022    Avoid Blockers & Quotas: Hides inside normal click handlers, tries multiple fallback methods, and uses localStorage\/cookies to see if it\u2019s already shown an ad.
    \u2022    Hide & Confuse: The script is stuffed with random variables and references (like V.e, V.x, V.L<\/code>, etc.) to break up the real logic flow. This is standard \u201cadware obfuscation.\u201d<\/p>\n

Key Points in the Code
    \u2022    function ve(t,e,r)<\/code> \u2013 Hooks up events to the document or window, such as onclick, mousedown, etc., to trigger the ad opening.
    \u2022    function Ft(t,e)<\/code> \u2013 One of the \u201copen pop\u2010up\/pop\u2010under\u201d routines, deciding how to open a new window or rewrite a link if you click an anchor.
    \u2022    function Lt(t,e,r,n)<\/code> \u2013 Overlays or \u201csmart overlay\u201d logic; also controlling advanced \u201cinterstitial\u201d or \u201coverlay\u201d ads.
    \u2022    function br()<\/code> \u2013 In some code, you see references to br() or \u201ccookie sync.\u201d This is so the script can keep track of user data across domains or iframes.
    \u2022    function Pt() \/ function Nt() \/ function Bt()<\/code> \u2013 Variation of the same \u201copen a new window or rewrite the anchor tag, then call track\/ log.\u201d
    \u2022    Lots of setInterval<\/code>, setTimeout<\/code>, watchers that keep rechecking whether the user\u2019s environment changed\u2014dev tools open, or new clicks, etc.<\/p>\n

Bottom Line<\/span><\/p>\n

This is a pop\u2010up\/pop\u2010under ad script with all the usual trimmings:
    \u2022    Hooks user clicks
    \u2022    Does forced opens\/redirects
    \u2022    Tracks usage, impressions, concurrency
    \u2022    Obfuscated with big dictionaries and weird variable references
    \u2022    Optionally tries to detect dev tools or debugging<\/p>\n

All of that is typical for \u201cforced redirect\u201d or \u201cpop\u2010under ad\u201d providers that want to avoid easy detection or blocking.<\/p>\n

Why It\u2019s Dangerous<\/strong><\/p>\n

This obfuscated JavaScript is more than mere nuisance pop-up spam. At scale, such code often funnels users to phishing pages crafted to steal credentials or payment information. In some of my past work at previous companies, I would see javascript like this inside of exploit kits It may also redirect victims to exploit kits delivering malware that can compromise their entire system. The layering of obfuscation indicates that threat actors are actively investing in advanced evasion techniques, making it critical to have proactive protections in place.<\/p>\n

How ThreatSTOP\u2019s Proactive Protections Help<\/strong><\/p>\n

1. <\/span>DNS Defense Cloud<\/strong><\/p>\n

Protect endpoints wherever they roam by pointing them to ThreatSTOP\u2019s cloud-based DNS service. This instantly blocks lookups to malicious domains\u2014including those behind suspicious pop-up code\u2014based on ThreatSTOP intelligence.<\/p>\n

2. <\/span>DNS Defense<\/strong><\/p>\n

For organizations that run their own DNS resolvers on-premises, ThreatSTOP integrates directly into your existing servers. This offers the same robust intelligence enforcement as our cloud service, proactively blocking malicious endpoints before they can impact users.<\/p>\n

Together, DNS Defense Cloud<\/strong><\/span> and DNS Defense<\/strong><\/span> form our Protective DNS<\/strong><\/span> suite, designed to filter out threats in real time.<\/p>\n

3. <\/span>IP Defense<\/strong><\/p>\n

Malicious code often relies on rogue IP addresses. With IP Defense, you can proactively manage a block list across routers, firewalls, IPS devices, AWS WAF, and more\u2014ensuring that threat actors can\u2019t establish inbound or outbound communication with your network.<\/p>\n

ThreatSTOP Intelligence, Research, and Security (TIS) Team<\/strong><\/p>\n

The malicious domains behind IP 139.45.197.242 showcase how attackers can quickly pivot their hosting infrastructure. The ThreatSTOP TIS Team continuously tracks threats like command and control activity, invalid traffic, peer-to-peer connections, data exfiltration, phishing, spam, and DDoS endpoints. As new campaigns emerge, they create updated protections that are automatically delivered to our customers\u2019 environments\u2014providing round-the-clock coverage against a wide range of malicious activity.  This IP and the domains associated with it have been blocked in our product line.<\/p>\n

Connect with Customers, Disconnect from Risks<\/strong><\/p>\n

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page<\/a>. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!<\/p>\n

IOCs:<\/p>\n

139.45.197.242<\/p>\n

gloolsukre[.]com
shagrixove[.]com
choomopteet[.]com
neechaipoad[.]com
oartoopesti[.]com
ptirsuckais[.]com
thumumoucku[.]com
faphomtotapt[.]com
greewoabaikr[.]com
jozekupteesh[.]com
oalseessonoo[.]com
oargusongous[.]com
woawewostoas[.]com
zidreersatsy[.]com
aughoomsoushy[.]com
fagloafexeele[.]com
phopaushoutch[.]com
pseexauboorsu[.]com
thautsooladsu[.]com
bijophomsorsig[.]com
chossoovauthuh[.]com
gorgadricmitsu[.]com
taiteemozathou[.]com
ekoortouksalert[.]com
glaigaunsoroogh[.]com
ofobsilreehoukr[.]com
pokastaiptoalto[.]com
raicaustenuphoo[.]com
caihaujeer[.]net
chetsoamta[.]net
dolsukophe[.]net
geeburouje[.]net
mufackoopt[.]net
numaigluwo[.]net
oofegleemy[.]net
pashulroak[.]net
piwhourumt[.]net
stouksomsi[.]net
behaiptoube[.]net
dauzaiwhaig[.]net
shedroobsoa[.]net
shuwoockoun[.]net
uhartomoaks[.]net
vodsoamsoun[.]net
apauzauxauls[.]net
chirsaidsoun[.]net
foupeestokiy[.]net
glabsuckoupy[.]net
grikooghoakr[.]net
halraingitsy[.]net
nauthaugroce[.]net
oaweekoorsew[.]net
sodreegrocee[.]net
southeestais[.]net
staimpaissoy[.]net
steetsoftehy[.]net
veewheephime[.]net
voptosteejee[.]net
whailacelump[.]net
bimaissebsiph[.]net
laushosoujedu[.]net
masouckomirtu[.]net
moaloamoaruno[.]net
naumezeephovy[.]net
oackaudrikrul[.]net
oastoarsewaip[.]net
shisheghustou[.]net
vouphoanooque[.]net
widrelroalrie[.]net
woojouthoowoa[.]net
boazeerizeepsi[.]net
jimtighoafoorg[.]net
oamoacirdaures[.]net
pauleeroupsacu[.]net
ptaujursissain[.]net
sorsoazucmumso[.]net
steemozoomeepi[.]net
suchizainsairg[.]net
tudroutchaigne[.]net
edoxoonsackefte[.]net
gouloaroustalun[.]net
ivaursersaipaul[.]net
ounoaksivoutsim[.]net
phoukriphoossid[.]net
soglaiksouphube[.]net
terumoumsaibsoa[.]net
toatobaijauvoly[.]net
whidsugnoackili[.]net
woakathugraimoh[.]net
woathaphachainy[.]net
wugoughurtaitsu[.]net
zoogoucaitakast[.]net
ocheejacheb[.]xyz
sterteeraisti[.]xyz
fauseepetoozuk[.]xyz
koomoaboatapoa[.]xyz
rilseessinipto[.]xyz
cugaksoogleptix[.]xyz
dooptoupouwhuwu[.]xyz
chirsaidsoun[.]net
numaigluwo[.]net
choomopteet[.]com
oofegleemy[.]net
toatobaijauvoly[.]net
tudroutchaigne[.]net
phopaushoutch[.]com
oargusongous[.]com
dolsukophe[.]net
oartoopesti[.]com
ofobsilreehoukr[.]com
ptaujursissain[.]net
zoogoucaitakast[.]net
whailacelump[.]net
halraingitsy[.]net
mufackoopt[.]net
gorgadricmitsu[.]com
shisheghustou[.]net
boazeerizeepsi[.]net
chossoovauthuh[.]com
thumumoucku[.]com
thautsooladsu[.]com<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Obfuscation in malware delivery has always been an effective trick<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[30,62,215,216,61],"tags":[653,218],"class_list":["post-7381","post","type-post","status-publish","format-standard","hentry","category-dns","category-dns-security","category-passive-dns","category-pdns","category-protective-dns","tag-ip-defense","tag-pdns"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Threat Stop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/threatstop\/"},"category_info":"DNS<\/a> DNS Security<\/a> Passive DNS<\/a> PDNS<\/a> Protective DNS<\/a>","tag_info":"Protective DNS","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7381"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7381\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}