Unit 42 researchers unveil a concerning cybersecurity discovery – ApateWeb, a large-scale campaign employing a network of over 130,000 domains as a conduit for distributing scareware, potentially unwanted programs (PUPs), and other fraudulent pages. Despite not classifying as traditional malware, the identified adware programs, including a rogue browser and various browser extensions, could serve as gateways for cybercriminals to establish initial access.
The nuanced approach involves deceptive emails enticing victims to click on campaign URLs, coupled with JavaScript embedding on web pages redirecting traffic towards malicious content. ApateWeb boasts a complex infrastructure with a multilayered system, featuring intermediate redirections to obfuscate the delivery of the final malicious payload. The attackers employ cloaking techniques and exploit wildcard DNS to impede defenders from detecting their campaign.
The impact of ApateWeb has surged since August 2022, persisting throughout 2022, 2023, and into 2024, with several hundred attacker-controlled websites consistently ranked in Tranco’s top 1 million website list. Global telemetry data indicates millions of monthly hits on these websites, affecting users across the U.S., Europe, and Asia. For example, in November 2023 alone, approximately 3.5 million sessions from this campaign were blocked across 74,711 devices.
