An insidious new form of malware designed to avoid detection on ad networks has successfully targeted over 200 premium publishers.

Detailed today by ad verification firm The Media Trust, the AfterShock-3PC malware is described as “polymorphic” in that it constantly changes its identifiable features to evade detection. First detected in March, AfterShock-3PC exploited several well-known ad networks, used frequent code-switching, alternated among more than 30 malicious domains to outsmart signature-based defenses and spoofed online payment tools.

The malware is also multifaceted in its delivery, varying what it delivers to victims as well. Victims are initially presented with a fraudulent pop-up, generated via a malicious ad.

Windows users are presented with a fraudulent pop-up warning them to renew their antivirus software, followed by a ransomware popup shortly thereafter. The latter gives users 15 minutes to make a payment or their files would be encrypted.

Those who clicked through were then taken to a malicious landing page pretending to be a well-known payments processor to enter their their payment details, which would then be stolen. Users who ignored the warnings would find their browsers frozen but no actual encryption having taken place with no malware installed on restart. Android users are presented with a fake pop-up offering them a free $1,000 gift card should they enter their details.

In all cases, the malware evaded existing security measures on major ad networks. “The malware’s ability to escape signature detection through clever nuances within the code marks a significant stride in technique for malvertising groups, who typically rely on simple obfuscation or recycled code,” the researchers noted.

The Media Trust has provided details of the attacks to federal authorities but warned that in the meantime, the risk is likely to increase.

“Today’s malware is more often new and unknown than known, and can renew itself through code changes,” the researchers concluded. “No single, simple solution can protect the user experience from such sophisticated campaigns.”

Image: The Media Trust