A malvertising campaign targets iPhone users with Krampus-3PC

Pierluigi Paganini December 14, 2019

A malvertising campaign that involved more than 100 publisher websites targeted iPhone users to deliver the Smart Krampus-3PC Malware.

According to The Media Trust’s Digital Security & Operations (DSO) team, iPhone users have been targeted by a malvertising campaign that has impacted more than 100 publisher websites, including online newspapers and international weekly news magazines.

iPhone users visiting any of the impacted websites were also displayed a fraudulent popup masquerading as a grocery store reward ad.

“Named Krampus-3PC1 by the DSO, this unique malware delivered the payload using a multi-stage redirect mechanism and two obfuscation methods to evade conventional scanning and blocking tools.” reads the analysis published by the DSO experts. “While most malicious campaigns use one method of redirection, Krampus-3PC employed a backup method to ensure users were redirected to the fraudulent popup masquerading as a global grocery store reward ad.”

The Krampus-3PC malware is able to harvest the users’ session and cookie information allowing the attackers to log into their users’ various online accounts.

If the visitors click on the grocery store ad, they are redirected to a phishing page in the attempt to trick users to enter their personal information.

“The malware was able to retrieve not only whatever information users entered but also their phone numbers, which were later used for phishing texts, and cookie IDs,” continues DSO “The cookie ID enabled Krampus-3PC to hijack the browser, and – if the user had other sites like their bank or favorite online retailer open on their device – gain access to the user’s account. Access to a session cookie would enable the malvertiser to log in as that user at a later time.”

Krampus-3PC evaded scanners and blockers leveraging on a heavy obfuscation.

The attackers first placed an ad to be distributed via the Adtechstack adtech provider, then they used the API implemented by the platform to insert the malicious code.

Once a reader visited a site and the compromised ad’s creative tag was loaded, Krampus-3PC unpacked the code that is used to check (1) whether the ad was hosted by Adtechstack and (2) whether the ad was running on a targeted publisher.


If the above checks were satisfied, the malware injected the malicious script that triggered additional checks to determine if the device was an iPhone.

“If the results were positive, Krampus-3PC built and executed the payload URL—boostsea2—and sent user data to the C&C server. This payload URL hijacked the browser, replacing the page address in order to redirect users to the phony reward popup.” continues the analysis. “If the redirection failed, it used the backup method, loading the malicious URL onto another tab. The URL would continue to open and load onto a new tab the redirection succeeded.”

Once all the checks are met, the user was redirected to malicious popups in the attempt to harvest users’ data.

At the time, Media Trust did not reveal the name the affected publishers.

The adtech platform has blacklisted the advertiser and the malicious ad itself).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment