Skip to content
WHEN USERS ATTACK

Ars Technica used in malware campaign with never-before-seen obfuscation

Vimeo also used by legitimate user who posted booby-trapped content.

Dan Goodin | 257
Credit: Getty Images
Credit: Getty Images
Story text

Ars Technica was recently used to serve second-stage malware in a campaign that used a never-before-seen attack chain to cleverly cover its tracks, researchers from security firm Mandiant reported Tuesday.

A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user. Buried in that URL was a string of characters that appeared to be random—but were actually a payload. The campaign also targeted the video-sharing site Vimeo, where a benign video was uploaded and a malicious string was included in the video description. The string was generated using a technique known as Base 64 encoding. Base 64 converts text into a printable ASCII string format to represent binary data. Devices already infected with the first-stage malware used in the campaign automatically retrieved these strings and installed the second stage.

Not typically seen

“This is a different and novel way we’re seeing abuse that can be pretty hard to detect,” Mandiant researcher Yash Gupta said in an interview. “This is something in malware we have not typically seen. It’s pretty interesting for us and something we wanted to call out.”

The image posted on Ars appeared in the about profile of a user who created an account on November 23. An Ars representative said the photo, showing a pizza and captioned “I love pizza,” was removed by Ars staff on December 16 after being tipped off by email from an unknown party. The Ars profile used an embedded URL that pointed to the image, which was automatically populated into the about page. The malicious base 64 encoding appeared immediately following the legitimate part of the URL. The string didn’t generate any errors or prevent the page from loading.

Pizza image posted by user.
Pizza image posted by user.
Malicious string in URL.
Malicious string in URL.

Mandiant researchers said there were no consequences for people who may have viewed the image, either as displayed on the Ars page or on the website that hosted it. It’s also not clear that any Ars users visited the about page.

Devices that were infected by the first stage automatically accessed the malicious string at the end of the URL. From there, they were infected with a second stage.

The video on Vimeo worked similarly, except that the string was included in the video description.

Ars representatives had nothing further to add. Vimeo representatives didn’t immediately respond to an email.

The campaign came from a threat actor Mandiant tracks as UNC4990, which has been active since at least 2020 and bears the hallmarks of being motivated by financial gain. The group has already used a separate novel technique to fly under the radar. That technique spread the second stage using a text file that browsers and normal text editors showed to be blank.

Opening the same file in a hex editor—a tool for analyzing and forensically investigating binary files—showed that a combination of tabs, spaces, and new lines were arranged in a way that encoded executable code. Like the technique involving Ars and Vimeo, the use of such a file is something the Mandiant researchers had never seen before. Previously, UNC4990 used GitHub and GitLab.

The initial stage of the malware was transmitted by infected USB drives. The drives installed a payload Mandiant has dubbed explorerps1. Infected devices then automatically reached out to either the malicious text file or else to the URL posted on Ars or the video posted to Vimeo. The base 64 strings in the image URL or video description, in turn, caused the malware to contact a site hosting the second stage. The second stage of the malware, tracked as Emptyspace, continuously polled a command-and-control server that, when instructed, would download and execute a third stage.

Credit: Mandiant
Credit: Mandiant

Mandiant has observed the installation of this third stage in only one case. This malware acts as a backdoor the researchers track as Quietboard. The backdoor, in that case, went on to install a cryptocurrency miner.

Anyone who is concerned they may have been infected by any of the malware covered by Mandiant can check the indicators of compromise section in Tuesday’s post.

Listing image: Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
257 Comments
Staff Picks
Chuckstar
Chuckstar
I don’t see why this is so confusing to people. You need to hardcode some URL in the first stage.

If you don’t want to hardcode your C&C server directly, as that may eventually get found and block, you instead hardcode an interim location (with fallbacks) where you will hide the URL of the C&C server.

That interim location should be a URL that will raise no red flags from monitoring software, where an obscured URL can be entered such that the first stage can read it and, importantly, where it can be subsequently edited in the future, if the C&C URL is compromised.

I’ll bet if the third stage were to lose contact with the C&C server, it would fall back to looking back at those first stage pages for an updated URL.
Aurich
Aurich
Looks like we're going to soon be upon the age when user uploaded images for their user/profile is not longer an option on the internet either. We can never had nice things.
Keep in mind there was nothing wrong with the image itself, nothing hidden inside it etc.

It's right here btw: https://purepng.com/public/uploads/large/purepng.com-pizzafood-pizza-941524644327twewe.png

You can safely load it, download it, whatever. The malicious part was appended after the .png with a ? and a string. It was the URL itself that triggered the malware. In theory any way of putting a URL onto a page would work. As Dan noted, on Vimeo they put it in the video description.

That kind of string is used in legit ways all over the internet, so there's no way to realistically filter for it. But you have to have already been infected for it to do anything, so in that sense the problem is downstream. Someone had to load the malware in some way in the first place.
Aurich
Aurich
Out of curiosity, how do you deal with stuff like that?

As I understand it, Ars was either hot‑linking the original URL image on the bad user profile (which could be indeed bad, even just for avatar porn reasons), or parsing the profile image while keeping the original (C&C) URL somewhere in the metadata that the totally Ars‑unrelated incursion still used for its C&C commands or addresses.

Kinda like hiding a URL or commands inside an encoded filename, I guess?

So the potential solution would be to never include any original image filenames in whatever accepts any data like images from users, like most forum software does? Just rename it to a random string each and every time then?

Or did I understand it wrong? Apologies if so.
The short answer is you kinda don't.

Just to quote the third party research for an unbiased take:

The legitimate services abused by UNC4990 (including Ars Technica, GitHub, GitLab, and Vimeo) didn’t involve exploiting any known or unknown vulnerabilities in these sites, nor did any of these organizations have anything misconfigured to allow for this abuse. Additionally, the content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign. Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised.

We didn't do anything wrong, in the sense that nothing actually malicious was ever on Ars.

I'm going to use a horrible analogy:

It's like the old spy craft of taking out a classified ad in a newspaper, and someone knows to check for such and such job listing, and the salary range is the address of the drop spot.

The newspaper might has facilitated bad actors, but not because they were running classified ads wrong. The ad only meant something to the right people.

In the same sense the URL was only meaningful to someone infected. So there's kinda nothing for us to stop? In theory we could try and dedicate resources to not allowing this specific kind of attack in the future, but there's almost no point.
VividVerism
VividVerism
Why would the network traffic show as visiting Ars though? The image isn't hosted by Ars, would it really show communication through Ars and not the URL of the image?

I don't get this -- the image was hosted by a third party, and any access by the malware would have to follow the image URL to download the payload.

So why was it linked to an Ars profile? The only thing I can think of is plausible deniability, as any network router would see the call to Ars followed by the call to the third party image hoster. But from a threat activity standpoint, hosting it on Ars didn't do anything other than draw more attention to the image.

What a bizarre attack. I get having a benign first stage infection: it helps avoid detection. I also get having directions for how to access the command/control server hosted somewhere like Ars: it allows you to update the server's location without needing to contact the infected machines, even if the server is suddenly taken down (say by law enforcement). But why then have a useless middle stage payload that pings your server instead of just making that the first stage?
The picture itself didn't contain any malware, the URL itself encodes the payload. One does not need to contact the webserver hosting the image at all to get the payload, only read the URL from the Ars Technica page.

The image hosting site itself is likely benign. Someone found (or possibly stood up) a site that simply discards garbage text after an image URL without returning an error. That allows them to use that image URL as a way to insert arbitrary data into any website allowing image embeds, without raising any suspicions. The URL functions normally to serve up an image if you follow it, and URLs frequently have tracking or session or resource identifier garbage tacked on as part of normal use. So now you have a way to retrieve arbitrary text from a benign webserver without anything suspicious ever showing up in a log. Worst case, if someone gets suspicious of the image URL, they can try requesting it and get the image normally, enough to quell most suspicions if the URL was flagged up for some reason.
Aurich
Aurich
FYI I just locked down user profiles so you cannot view them unless you're logged in.

Nobody random with malware from a USB drive will be able to view malicious URLs in that way anymore here.
Prev story
Next story