The “AliGater” malvertising campaign has emerged as a significant threat, specifically targeting users of outdated Windows systems, notably Windows 7 SP1 and 8.1, as well as older versions of Chrome in Europe. Researchers from Gen Digital have identified that this sophisticated platform exploits legitimate advertising networks, embedding harmful code within online ads to facilitate malware infections. This malvertising tactic poses challenges for both users and publishers, as infected advertisements can often evade detection.
The attack chain begins with malicious ads redirecting users to a domain named aligate.homes, where victims encounter a deceptive CAPTCHA loading a script called “captcha.js” from a dynamic shop domain. This script fingerprint the users by analyzing their system environment, such as architecture and browser version. It then delivers targeted exploits that take advantage of vulnerabilities in the V8 JavaScript engine (CVE-2023-2033) and Windows TrueType font parsing (CVE-2011-3402). This meticulous approach enables the attackers to tailor their exploits based on the specific weaknesses of the victim’s setup.
Once a user is compromised, the multi-stage payload deploys sophisticated techniques, including WebAssembly, XOR encryption, and shellcode injection, alongside process hollowing methods. The malware masquerades as legitimate Windows processes—such as “dllhost.exe” and “svchost.exe”—to evade detection while deploying the Lumma stealer, which is designed to harvest sensitive information from infected devices. AliGater also targets specific user agents, notably outdated versions of Chrome, thereby narrowing its focus on particularly vulnerable systems.
Interestingly, the infrastructure supporting AliGater displays characteristics reminiscent of the Magniber ransomware campaign, including similar targeting methods and syscall invocation techniques. This suggests a possible connection or shared codebase between the two threats, raising concerns about the potential for broader exploitation. As the AliGater campaign continues to evolve, it underscores the urgent need for users to update their operating systems and browsers to protect against sophisticated malware threats lurking in seemingly innocuous online ads.
