VeryMal

VeryMal is a prolific and persistent malvertiser identified by Confiant, also referred to as "verymal" and named after the ad serving domain veryield-malyst[.]com. The actor is known for large-scale fake Flash update campaigns hosted on .icu domains and delivered via display ad auto-redirects. Confiant linked VeryMal to macOS-focused malvertising activity delivering OSX/Shlayer since January 2019, and later-stage malware dubbed OSX/Tarmac. Reported tradecraft includes malicious ad tags, browser fingerprinting, anti-tampering and anti-debugging logic, offensive steganography in earlier campaigns, and later abuse of Google Firebase Firestore to host and deliver malicious JavaScript payloads that were executed via eval(). In the Firebase-based campaign, payloads fingerprinted for desktop Safari using checks such as window.devicePixelRatio, window.WebKitPlaybackTargetAvailabilityEvent, and validation of navigator.javaEnabled().toString(), then redirected victims to fake Flash update infrastructure. Confiant also observed active development across payloads, including fingerprinting changes, steganography, domain variation, and an infinite breakpoint loop as an anti-debugging mechanism. VeryMal’s campaigns targeted macOS users through fake Adobe Flash Player installers, including AdobeFlashPlayerInstaller.dmg, and delivered OSX/Shlayer variants that used code-signed applications and encrypted scripts to download additional payloads. Confiant attributed a campaign exposing up to 5 million visitors to VeryMal. In that activity, OSX/Shlayer.D downloaded unsigned OSX/Tarmac via curl, exploiting the lack of quarantine attributes on curl-downloaded files to bypass Gatekeeper and XProtect checks on tested macOS Mojave 10.14.6 systems. OSX/Tarmac, as described in the reporting attributed to VeryMal, is a two-stage Objective-C malware family that used encrypted strings, JavaScriptCore bridging, AppleScript-based privilege elevation, and encrypted command-and-control communications using a hardcoded 1024-bit RSA public key and RC2. It displayed a WebView masquerading as a Flash installer with C2-controlled content and ultimately downloaded a genuine Adobe Flash Player installer from Adobe servers. The malware exfiltrated host profiling data and supported commands to download, install, copy, and launch applications. Confiant identified 52 samples signed with the same Apple developer certificate 2L27TJZBZM and multiple related C2 domains. Confiant estimated that nearly one million user sessions may have been exposed to the Firebase-based malvertising campaign. No nation-state attribution is stated in the provided content.