New Malvertising Campaign Detected Using Highly Sophisticated Aftershock-3PC Malware

A new form of malware named Aftershock-3PC is being used in a major malvertising campaign. The malware uses a range of advanced techniques to avoid detection.

The malware is being used in malvertising attacks via more than 200 premium ad networks. The malware is polymorphic and constantly changes its code to evade detection and uses over 30 different domains to avoid being detected by signature-based anti-malware solutions used by major ad networks.

The campaign aims to obtain payment credentials and uses a range of different ploys to get users to part with their credentials.

Windows users will see a popup window appear which warns them that their antivirus solution needs to be updated, shortly after which a second popup appears warning that ransomware will encrypt their files if payment is not made within 15 minutes.

If that warning is ignored, the browser will be locked. Users are required to reboot their devices to unlock the browser. Rebooting removes all traces of the malware. If users respond to the warning and click the link they will be redirected to a spoofed payment portal for a well-known payment platform. If their credentials are entered, they are captured by the scammers who will empty their accounts.

If the user is on a mobile device, they receive a popup that offers a fake $1,000 gift card from a major retailer. In order to claim the prize, the user is required to enter a range of personal information, including their email address, postal address, income, and gender. The information will then likely be sold on or used in spear phishing attacks.

The malware was identified by the Media Trust’s Digital Security & Operations (DSO) team in March. DSO believes it is the work of the same threat actors behind ShapeShifter-3PC malware which was identified in February. The campaign used many of the same domains as the ShapeShifter-3PC campaign.

DSO has managed to disrupt the campaign through continuous scanning and has alerted all clients who have been affected, as was the case with the February campaign.

DSO warns that the advanced techniques now being used by malvertising threat actors means signature-based detection methods alone are no longer sufficient. Signature-based AV solutions can only detect known malware. Threat actors are now, more often than not, using brand new, never before seen code which constantly changes. To detect these advanced threats, what is required is continuous machine-learning assisted scanning to identify anomalous activity.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of