Ars Technica was used in a malware campaign with unprecedented obfuscation

Ars Technica was used in a malware campaign with unprecedented obfuscation

Ars Technica was used in a malware campaign with unprecedented obfuscation

Getty Images

Ars Technica was recently used to serve up second-stage malware in a campaign that used a never-before-seen attack chain to cleverly cover its tracks, researchers from security firm Mandiant reported Tuesday.

An innocuous image of a pizza was uploaded to a third-party website and then linked to a URL pasted into the About page of a registered Ars user. There was a string of characters buried in this URL that looked random, but were actually a payload. The campaign also targeted the video sharing site Vimeo, where a benign video was uploaded and a malicious string was included in the video description. The string is created using a technology known as Base 64 encoding. Base 64 converts text into a printable ASCII string format to represent binary data. Devices already infected with the first-stage malware used in the campaign automatically recovered these strings and installed the second stage.

Not usually seen

“This is a different and innovative way in which we see abuse that can be difficult to detect,” Yash Gupta, a researcher at Mandiant, said in an interview. “This is something in malware that we don’t typically see. It’s very interesting to us and something we wanted to mention.”

The photo posted on Ars appeared on the profile of a user who created an account on November 23. An Ars representative said the photo, which showed a pizza and was captioned “I love pizza,” was removed by Ars employees on December 16 after they were informed by email from an unknown party. The Ars profile used an embedded URL pointing to the photo, which was automatically populated on the About page. The malicious Base 64 encoding appeared immediately after the legitimate part of the URL. The string did not generate any errors or prevent the page from loading.

Picture of pizza posted by the user.
Zoom in / Picture of pizza posted by the user.
Malicious string in URL.
Zoom in / Malicious string in URL.

Mandiant researchers said there were no consequences for people who might have seen the image, either as it was displayed on the Ars page or on the website that hosted it. It’s also not clear that any Ars users have visited the About page.

Devices infected in the first phase automatically accessed the malicious string at the end of the URL. From there, they developed a second stage.

Video on Vimeo works similarly, except the series is included in the video description.

Ars representatives had nothing further to add. Vimeo representatives did not immediately respond to an email.

The campaign came from a threat actor tracked by Mandiant as UNC4990, who has been active since at least 2020 and bears the hallmarks of being motivated by financial gain. The group has already used a separate new technology to fly under the radar. This technique was popularized in the second phase by using a text file that browsers and regular text editors showed to be empty.

Opening the same file in a hex editor—a tool for forensically analyzing and investigating binary files— revealed that a set of tabs, spaces, and newlines were arranged in the way executable code was encoded. Like technology involving Ars and Vimeo, the use of such a file is something Mandiant researchers have never seen before. Previously, UNC4990 used GitHub and GitLab.

The first stage of the malware was transmitted via infected USB drives. The drives installed a payload that Mandiant called Explorerps1. Infected devices automatically access either the malicious text file, the URL posted on Ars, or the video posted on Vimeo. The 64 basic strings in the image URL or video description in turn caused the malware to connect to a site hosting the second stage. The second phase of the malware, tracked as Emptyspace, constantly polls a command and control server which, when requested, will download and execute the third phase.


Mandiant observed the installation of this third stage in only one case. This malware acts as a backdoor that researchers are tracking called Quietboard. In this case, the backdoor continued to install the cryptocurrency miner.

Anyone concerned that they may be infected with any of the malware covered by Mandiant can check out the Compromise Indicators section of Tuesday’s post.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *