Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits

Malvertising occurs when an online advertising network knowingly or
unknowingly serves up malicious advertisements on a website. Malvertisements
are a type of “drive-by” threat that tend to result in users being
infected with malware for simply visiting a website. The victims of
this threat are often compromised when the malvertisement directs them
to an exploit kit (EK) landing page. Depending on the applications
running on the user’s system, the EK can successfully load malware
into a system without user consent and without tipping the victim off
that something suspicious is happening.

It is not uncommon for popular ad servers to redirect to affiliate
networks – organizations that forward traffic to servers supporting
other malicious domains, which are referred to as “Cushion Servers” or
“Shadow Servers”. Under control of EK actors, some cushion servers use
HTTP redirect protocols such as 301/302/303 etc., or simply iframe
redirects. In other cases the visitor receives pages containing a
script that the attacker has injected. This is often the consequence
of an unmitigated vulnerability that attackers may exploit to their
advantage. Some campaigns use the domain
shadowing
technique to camouflage rogue ad servers as legitimate advertisers.

In this blog, we will look into some of the prominent malvertising
campaigns that were active during the last four months, as well as the
cushion servers related to different exploit kits.

Magnitude EK

As seen in Figure 1, Magnitude EK is a popular exploit kit in the
APAC region. Throughout the final quarter of 2016 and first month of
2017, FireEye Dynamic Threat Intelligence (DTI) observed consistent
Magnitude EK hits from several customers, the majority of whom reside
in the APAC region.

Figure 1: Zone distribution for Magnitude EK
activity as seen on DTI in last 4 months

In all cases, Magnitude EK affected web servers with the following
header information:

“Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6”.

A successful Magnitude EK infection follows the stages seen in
Figure 2.


Figure 2: Typical path for malvertising to
Magnitude EK


Figure 3: TLD distribution of first layer
domains with injected redirect script

Throughout the last four months, different malvertising campaigns
have been associated with a group of first layer compromise pages (the
TLD distribution is seen in Figure 3), which we will discuss based on
common indicators. These first layer compromise pages use the same
injected script used for redirection to Magnitude EK. Figure 4 shows a
typical injected script used in these campaigns.

Figure 4: Typical malicious injected script used
for redirection to Magnitude domains

In all observed instances, the injected script only appears when the
site is being loaded through the advertisement (many of which have
high Alexa ranking, as we will further explain), and not when those
URLs are accessed directly.

FireEye notifications have resulted in many of these campaigns being
taken down, which are mentioned in their respective sections.

Through Propeller Ad Networks

Table 1 shows the domains we observed that acted as first layer
compromise domains with the injected script for redirection to
Magnitude EK being spread from the advertisers, with domains hosted on
the Webzilla B.V domain hosting service.

Table 1: Domains with injected redirect script
involved in this campaign

These domains appear to be from the same actor due to the similar
nature of the URI and domain patterns, and the switching to new
domains after one is used a certain number of times. The current IP
involved in hosting the active domains is 37.130.229.108. Domains seen
in Table 1 were redirected by the following advertisers mentioned in
Table 2.

Table 2: Ads used in this campaign

A typical URI seen in this campaign appears as:

btcpaying[.]uk/?reg=asia&traff=propeller

On rare occasions the same campaign also used advertiser poptm[.]com
hosted on Cloudflare, but for the most part the ad networks listed in
Table 2 were used.

The Bill-Finance and Flash Games Gates

Some malvertisements have been leading users to Flash game websites.
In these instances, domains containing the word ‘finance’ in their
domain name are being used as the first layer of compromise for the
injected script, which redirects to domains hosting Magnitude EK.
These Flash sites are registered with ‘AlpNames Limited’ registrar and
have been hosted using a PlusServer AG server ISP in Germany.

Registrant information for all of these sites is similar. The
registrant name is some variation of the name ‘Bill’ and ‘Guil’ (e.g
‘Billii’, ‘Billy’ etc.). Registrant numbers have consistently been
+1.2285161853 or +1.7137015286.

Table 3 shows the names of these Flash game websites and Table 4
shows their malvertising information.

Table 3: Domains with injected redirect script
involved in this campaign

Table 4: Ads used in this campaign

The ads from click.seodollars[.]com appear to be using the domain
shadowing technique, while all others are legitimate advertisers.

AlpNames Limited registrar has taken down domains associated with
this campaign following notification by FireEye.

TTA Adults Limited Using Adcash Ad Group

This category of first layer of compromise is for domains registered
under [.]organisation: TTA ADULTS LIMITED. In all instances, the
registrant information is as follows:

Registrant Name: Andrew Musgrove
Registrant [.]organization:
TTA ADULTS LIMITED
Registrant Street: FOURTH AVENUE UNIT 1B
FOCUS 4  
Registrant City: LETCHWORTH
Registrant
State/Province: Hertfordshire
Registrant Postal Code: SG6
2TU
Registrant Country: GB
Registrant Phone:
+44.7538421640
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: musgroveandrew1@gmail[.]com

Domains with this registry information are being redirected by
advertisers belonging to Adcash group.

Table 5 shows the names of these campaign domains and Table 6 shows
their malvertising information.

Table 5: Domains with injected redirect script
involved in this campaign

Table 6: Ads used in this campaign

Adcash has closed domain accounts associated with this group
following notification from FireEye.

China Coast

This category of first layer of compromise is for domains registered
under [.]organisation: China Coast. In all cases, the registrant
information is as follows:

Registrant Name: Goran L Deelen
Registrant [.]organization:
China Coast
Registrant Street: Davisstraat 27  
Registrant
City: Amsterdam
Registrant State/Province: Noord-Holland
Registrant Postal Code: 1057 TG
Registrant Country: NL
Registrant Phone: +31.645495613
Registrant Phone Ext:
Registrant Fax:  Registrant Fax Ext:
Registrant Email:
antoni309233@gmail[.]com

The malvertisements can be further categorized by different domain
types. Some of the domain names with traffic from Taiwan are
redirected by ads.adamoads[.]com (a Chinese advertising site).
Additional details are shown in Table 7.

Table 7: Domains and ad services involved in
this campaign

Some of the malvertisements in this campaign are redirected through
other ad sites, including:

  • adexchangeprediction[.]com has been observerd to be redirected
    from serve.popads[.]net.
  • n152adserv[.]com is redirected
    from engine.phn.doublepimp[.]com

The following rogue ad subdomains in this campaign use the domain
shadowing technique:

  • syndication.exoclick[.]com
  • track.reacheffect[.]com

Table 8 shows other malvertisement cases for Magnitude EK.


Table 8: Other domains and ad services involved
in redirection to Magnitude EK

Rig EK

Rig EK emerged as the most prolific exploit kit in the latter half
of 2016. Its use in campaigns such as EITest
Gate
, Pseudo-Darkleech
and Afraid
Gate
is well documented, all of which involve scripts being
injected directly within legitimate sites. However, going with the
theme of this blog, we will be focusing on noteworthy malvertising
campaigns involving redirects to Rig EK domains.

Casino Theme Ad Domains

From the final quarter of 2016 to the start of 2017, we have
observed [.]info and [.]pw TLD domains acting as intermediate redirect
domains invoked via legitimate advertisers, which eventually lead to
Rig EK domains. These domains usually have malicious iframes injected
into the content for redirection to Rig EK domains. Figure 5 shows the
normal workflow of the campaign.

Figure 5: Ad networks hosted on Google Cloud ISP

Figure 6 show how the ad loads casino-themed domains via 302
redirect. The ad service loads these sites, which are acting as shadow
servers to redirect users further to exploit kits, as seen in Figure 7
and Figure 8.

Figure 6: 302 redirect to holdem-pokers.info

Figure 7: Malicious iframe from 1st redirect
domain to .pw domain hosted on domain of 2nd IP

Figure 8: Malicious iframe from 2nd layer
redirect domain loading Rig EK

The most recent whois information for domains related to this
campaign is as follows:

Registrant Name: sergei sergeev
Registrant organization:
Private Person
Registrant Street: novoselov 44
Registrant
City: ekaterinburg
Registrant State/Province:
sverdlovskaya
Registrant Postal Code: 140530
Registrant
Country: RU
Registrant Phone: +7.9868847677
Registrant
Email: fobos@mail.ru

Admin Name: sergei sergeev
Admin [.]organization: Private
Person
Admin Street: novoselov 44
Admin City: moscow
Admin State/Province: moscow
Admin Postal Code: 140530
Admin Country: RU
Admin Phone: +7.9868847677

The whois information slightly varies in older domains registered
for the same campaign, but the organization name, state and country
remain the same.

Domains are currently active on IP 78.46.232.211 (first redirect
after legitimate ad) and 88.198.220.122 (second redirect after
legitimate ad). Table 9 shows a complete list of the involved domains.

Table 9: Casino themed domains involved as
shadow servers in this campaign

Table 10: Ads used in this campaign

All ad service belong to AdCash ad group, which stopped providing
services to these domains in February 2017.

Later, the same campaign switched to the following new domains:

lifeerotic6[.]info; lifeerotic6[.]pw; spoutgame22[.]info;
spoutgame22[.]pw; lifeerotic[.]info; 100p2[.]pw; 100p0[.]pw;
sproutgame[.]info; sproutgames[.]info.

The IP involved with these new domains (other than two mentioned
earlier) is 78.46.232.214. The new whois information is as follows:

Registrant Name: sergei sergeev
Registrant Organization:
Private Person
Registrant Street: 64 Vicar Lane
Registrant
City: SAPEY
Registrant State/Province: COMMON
Registrant
Postal Code: WR6 1JY
Registrant Country: GB
Registrant
Phone: +1.3128595849
Registrant Fax:
Registrant Email:
fobos@mail.ru

This actor’s new set of domains is now leveraging popular ad service
popcash[.]net, which FireEye has notified.

Sundown EK

The following are some of the most prominent malvertising campaigns
that are currently active for Sundown EK.

Neighboring IPs Redirected From Different Set of Ad Networks

This campaign has been active using domains hosted on 217.23.13.111
and 217.23.13.110. Domains hosted on both neighboring addresses have
their whois information protected by Whois Guard. There are
similarities in domain names and each group of domains under these IP
addresses (with a Netherlands geolocation).

In these instances, legitimate advertisers are redirected to one of
the domains hosted on these IPs, which further redirects to a Sundown
EK domain. Figure 9 and Figure 10 show how an ad redirects to
intermediary domains hosting a malicious iframe to a Sundown EK
landing page.

Figure 9: poptm[.]com redirecting to
gomedia[.]online hosted on IP 217.23.13.110

Figure 10: Redirect domain leading an iframe to
Sundown EK

There are multiple ad services that are currently redirecting to
these domains, as seen in Table 11.

Table 11: Intermediary domains redirecting to
Sundown EK and their advertisers seen in this domain

Figure 11 and Figure 12 show details of domains hosted on each
neighboring IP involved in this campaign.

Figure 11: Domains with iframe load to Sundown
EK hosted on IP 217.23.13.111

Figure 12: Domains with iframe load to Sundown
EK hosted on IP 217.23.13.111

Leveraging popcash[.]net

A group of redirect domains has been leveraging advertiser
popcash[.]net (Alexa #165) for 302/303 redirects to Sundown EK landing
pages. In these instances, the advertiser does not directly lead to a
Sundown EK domain, but leads them via a chain of two domains involved
in the campaign.

Table 12 shows domains involved in the campaign where popcash[.]net
usually leads to a domain via 303 redirect, which further leads to
second domain (typically via an iframe or another 303 redirect) and
eventually redirects users to a Sundown EK domain.

Table 12: List of shadow server domains involved
in this campaign

These domains use two IPs, either: 23.238.19.56 or 173.208.245.114.

A typical example of such redirection can be seen in Figure 13 and
Figure 14.

Figure 13: Chain of two domains being redirected
from popcash[.]net

Figure 14: Second layer of Shadow server domain
redirects to Sundown EK landing page

popcash[.]net cleaned the malicious ads after notification.

Through Propeller Ad Networks

This campaign is related to group of domains with the following
whois information:

Registrant Name: elise wickson
Registrant [.]organization:
None
Registrant Street: 4-4025 Sladeview Crescent  
Registrant City: mississauga
Registrant State/Province: QC
Registrant Postal Code: L6L 5Y1
Registrant Country: CA
Registrant Phone: +1.5148852225
Registrant Name: bruno
calisto
Registrant [.]organization: None
Registrant
Street: 8807 PIERRE-BOUCHER  
Registrant City: laval
Registrant State/Province: QC
Registrant Postal Code:
H7A3R2
Registrant Country: CA
Registrant Phone: +1.5148859965

These domains are being used as shadow servers to Sundown EK domains
after being loaded via legitimate ad sites hosted on Webzilla B.V
hosting services. Table 13 shows a complete list of these domains.

Table 13: Domains involved in this campaign

Table 14: Ads involved in redirection for this campaign

Other malvertisement cases for Sundown EK are shown in Table 15.


Table 15: Other domains and ad services involved
in redirection to Sundown EK

Terror EK

Terror EK is similar to Sundown EK. It has been consistently
leveraging advertiser serve.popads[.]net to redirect traffic to
domains controlled by it. The advertiser is used to redirect traffic
to a domain hosted on IP 144.217.84.234, which is further redirected
to domains hosted on 144.217.84.235 / 94.74.81.91 / 94.74.81.8.

Earlier instances
against domains hosted on 149.202.164.86
were seen last year in
December by our colleagues at Trustwave and Malwarebytes.

In January 2017, new domain names appeared in the campaign hosted on
a different IP location. However, as observed in the previous case,
Terror EK continued the campaign to download ccminer payloads.

Figure 15 and Figure 16 show ad services redirecting to domain
onlinesalespromarketing[.]com (hosted on 144.217.84.234), which
further redirects to a landing page domain onlinesalesproaffiliate4[.]us.

Figure 15. serve.popads[.]net redirect to shadow server

Figure 16. Shadow server redirect to Terror EK
landing page

Table 16 shows a list of new domains that use the above mentioned
IP’s for hosting landing page:

Table 16: New domains used by Terror EK after
first campaign

Conclusion

Malvertising and exploit kits continue to be a significant threat to
regular users. While we strongly recommend using ad blockers for all
web browsers, we understand that it’s not always possible. For that
reason, the best approach is to always keep your web browsers and
applications fully updated. Also, regularly check your browser to see
what plugins are being used and disable them if they are not necessary.

In all of the examples we discussed, FireEye customers were
protected from infection by our multi-flow and multi-vector detection engine.

Update (March 17, 2017): We would like to thank PopCash, Adcash,
Propeller Ads, AlpNames Limited and Cloudflare for closing down rogue
accounts linked to shadow servers that were discussed in this blog.

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog