By: Chris Mannon

Magnitude Exploit Kit Leading To Ransomware Via Malvertising

Advertising

 
Magnitude Exploit Kit is a malicious exploit package that leverages a victim’s vulnerable browser plugins in order to download a malicious payload to a system.  This technique is known as a drive-by-download attack, which is often leveraged on compromised websites and malicious advertising networks.

We recently found a number of compromised pages following the structure of fake search engine pages. The following sites have been seen to redirect to malicious content:
  • hymedoraw[dot]com/search[dot]php
  • awerdeall[dot]com/search[dot]php
  • index-html[dot]com/
  • joomla-green[dot]com/
  • bestcool-search[dot]com/
  • joyo-search[dot]com/
  • megas-search[dot]com/
  • speeds-search[dot]com/
  • sample-data[dot]com/
  • lazy-summer[dot]com/
  • tundra-search[dot]com/
  • death-tostock[dot]com/
  • adoncorst[dot]com/search[dot]php
  • demo-content[dot]com/
  • enable-bootstrap[dot]com/
  • rospecoey[dot]com/search[dot]php
  • aranfleds[dot]com
  • adoncorst[dot]com/search[dot]php
  • malpithia[dot]com/search[dot]php
  • noutademn[dot]com/search[dot]php
We've also seen a high volume of Malvertising activity leading to Magnitude Exploit Kit hosting sites. The biggest offender of this Malveritising activity is from "click2.systemaffiliate.com" operated by the ad network Sunlight Media, as seen in the list below:
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=Area+Rugs+Cleaning+hotels+for+sale+by+owner
    • b7b6o[dot]y2ff[dot]3b1f767u[dot]dc[dot]3d478d[dot]t97a2as[dot]pdf0q[dot]zf1[dot]eaq6907579[dot]hatentries[dot]in/?17657271747b7e747c2539646e6463727a7671717e7b7e7663723974787a
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=backhoes+for+sale+Granite+Counter+Tops
    • nd4e61i[dot]0fedz[dot]i9390[dot]11f[dot]b8e0[dot]c1i[dot]51aa8a5x[dot]b22n[dot]z1037n6z[dot]rulesreturning[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=direct+tv+dallas+tx+financial+services+companies
    • kfb39c[dot]ec526[dot]k149t[dot]13f44d[dot]gfb9820[dot]q5c[dot]c778eg[dot]c47b0v3diz2[dot]backedmisuse[dot]in/?1567707376797c767e273b666c666170787473737c797c7461703b767a78
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=business+processes+management+Metaire+Construction+Management+Service
    • a19602cr[dot]773a9be[dot]bd407edi[dot]m602f890[dot]wfd6b[dot]eay836h7h[dot]bytessounds[dot]in/?3a485f5c595653595108144943494e5f575b5c5c5356535b4e5f14595557
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=michelin+tire+Shingle+Roofer
    • 0eeda91z[dot]w8cb575d[dot]b8[dot]s247[dot]maf35794i[dot]q9b[dot]yc79p[dot]b[dot]y7siiy61xy[dot]bytessounds[dot]in/?295b4c4f4a45404a421b075a505a5d4c44484f4f404540485d4c074a4644
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=compact+suv+internet+hosting+company
    • u0b49r[dot]b9l[dot]r76783b2i[dot]ce01s[dot]k25o[dot]8f3t[dot]w32[dot]1d1dl[dot]u63g[dot]s45t[dot]xk6z4x0ok4[dot]isessentially[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=hotel+prices+Air+Duct+Cleaning+Service
    • za46[dot]1375623[dot]e53cb4[dot]2014[dot]50ebd[dot]t1c06f[dot]61[dot]y7f8vkub0[dot]safelyinstall[dot]in/?16647370757a7f757d2438656f6562737b7770707f7a7f7762733875797b
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=supercuts+coupons+sales+presentation+equipment
    • 01e717[dot]i06917c[dot]36f5[dot]j056[dot]m66a[dot]176f3f[dot]5ej[dot]p6e[dot]h2xb793w17[dot]safelyinstall[dot]in/?285a4d4e4b44414b431a065b515b5c4d45494e4e414441495c4d064b4745
  • click2.systemaffiliate[dot]com/filter/?keyword=free+latest+accounting+software+Laptops
    • of62b8a[dot]x43f292x[dot]a674q[dot]r5ec03a[dot]y01c9b[dot]f7367u[dot]cgh63008[dot]husbandhides[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=marine+equipment+and+supply+company+real+esate+hotline
    •  g1812c47[dot]t6060f09l[dot]t74711a[dot]m69131[dot]l88[dot]z874f0h[dot]b88z8j4s31ji[dot]husbandhides[dot]in/?2b594e4d484742484019055852585f4e464a4d4d4247424a5f4e05484446
The Malvertising networks lead to redirector domains utilizing 302 cushioning. Our recent data shows the following redirector domains to have been heavily utilized:
 
  • paypal-invest[.]net
  • paypal-invest[.]info
  • paypal-invest[.]biz

Following the 302 redirect, Magnitude delivers both a malicious Flash payload as well as a highly obfuscated JavaScript payload (MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow exploit). Once the browser has been exploited, Magnitude proceeds to a new step in the infection cycle where the malware payload would normally be downloaded immediately following exploitation, we are now seeing a shellcode payload being served.

 
Shellcode being served
 

The shellcode is a simple payload that utilizes the Windows library ‘urlmon.dll’ to attempt to fetch a list of URLs contained within the shellcode. In the cases we have seen so far, only the first URL results in a payload (CryptoWall 3.0), while the others return no data.
 
CryptoWall payload download

This is a highly profitable ransomware payload that leverages Bitcoin transactions executed over the Tor Anonymizer to monetize the attack. Threat Actors utilize this method of collection because it can't be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures.
 
CryptoWall decryption instruction

ThreatLabZ has been actively monitoring this Magnitude EK activity and the image below illustrates the transactions we saw for this campaign:

 
The Green represents Payload activity; The Blue represents Landing Page activity.

As with most threat actors, once they find a location that allows them to host their attacks they tend to stick with it. The lion's share of target IPs seen from our research show that Germany is the biggest hosting location for this activity.

 
Other countries seen to host this activity: NL (3%) US(2%) JP(2%)

Conclusion
Exploit Kits are evolving to bypass standard security solutions that utilize basic URL filtering techniques. Attackers are utilizing various methods of infection, including malvertising and iFrame injection on compromised pages. Ransomware is a highly profitable, recording up to $33,000 per day at one point. The sophistication of these attacks are on the rise and security leaders need to keep apprised of this maturing illegal market.

Analysis done by Edward Miles & Chris Mannon

Learn more about Zscaler.