It is important to note that malvertising is one of the most dangerous and extremely successful initial delivery mechanism here as even the most cautious user is susceptible to this attack while visiting a perfectly legitimate website. In most other cases, a well informed user can avoid the attack by carefully inspecting the link in an e-mail or search results. Stage 2 - Landing Stage: During this stage, the victim machine visits the actual EK hosting site and the exploit cycle is started. The EK code will attempt to exploit the identified vulnerable plugins by downloading the relevant exploit payloads. Upon successful exploitation, the EK will lead to the download of the malware payload as configured by the EK operator. The entire exploit cycle may not require any user intervention in most cases, which greatly increases the success rates. Stage 3 - Malware Payload Delivery: This is the final stage of the Exlpoit Kit infection cycle where the malware executable is downloaded and installed on the victim machine. This is usually achieved, after successful exploitation, by one of the EK payloads that was served during the landing stage. The EK operators strive to ensure that the EK code, exploit payloads and the end malware payloads have very low to zero antivirus detection. Over the past few years, EK authors have implemented multiple new features to improve the effectiveness & infection success rates:
Recent Malvertising & EK campaigns After last year’s infamous “Kyle & Stan” malvertising campaign that affected Google, Yahoo, YouTube and multiple other popular websites, this year has been no different. We have seen a malvertising campaign leading to a zero day Flash Exploit payload via the Angler EK to start of the year, followed by a Malvertising campaign targeting European Transit users. There have been numerous other instances of Malvertising which involved popular sites like huffingtonpost.com, yahoo.com, zillow.com and we only expect this trend to continue throughout the year.
|Malvertising attempts blocked [Last 7 days]|
|Users targeted globally by Malvertising [Last 7 days]|
Advanced techniques to evade detection We have also noticed some new techniques being introduced in the Malvertising & EK exploit chain this year to further evade detection by URL reputation & network scanners:
Please refer to our most recent write-up describing it in more detail. A typical Malvertising infection cycle would involve following stages:
|Malvertising infection cycle|
Cybercrime Infrastructure & Business Model Threat actors involved at different stages of the infection cycles are part of a thriving Cybercrime infrastructure & business model that is all interconnected as seen below:
|Cybercrime Infrastructure & Business Model|
The top Exploit Kits that we have seen involved in various Malvertising campaigns in 2015 are:
/l86dvw7qfp.php /62ynh7h2e9.php /ukvugw2mct.php
/govern_wickets_insulator/1305714616 /pews-bathrobe-understatement/2333676765 /pions_fingertips_rebuff/8057907058341 /pounces-garrotted-bedfellow-mingling/387249683138585374
Nuclear EK is arguably the most advanced exploit kit currently in use and includes a variety of different exploits. First appearing in 2009, the kit is very actively developed, with new exploits and defenses added incrementally over the years, and it is used to serve any number of payloads, including ransomware, click fraud, and multiple backdoors. Nuclear contains exploits for multiple common software components, including Flash, Internet Explorer, Java and Silverlight. Notably, in March 2015, the kit began including a Flash exploit for CVE-2015-0336 only a week after a patch was released by Adobe. Similar to Angler EK, Nuclear uses compromised webservers to serve exploits via 302-cushioning and domain shadowing, but free subdomain and dynamic DNS providers are also heavily used.
sstmxixcdr.serveftp[.]com/xqpjvl5oabhksk1fqq1bwl1afxdcs09xxxbjf1pdva.html fu7bncm7xzjwu6hcfhuwwgg.90saniye[.]com/xvsobfbfaayaaxcou1gfcfvbs1wrefrrulaoebvovlfixfjkufgphacxulkl.html azwbm2qdqs276gxw9qj82fg.akildakalici[.]net/rkklfaaacu1yh0aexaniauyvawypak8rcebtxquavh9ydl4kvvbsbfspulgxc1is.html
Using new subdomains of compromised sites enables Nuclear to evade older, domain-based blocking and allows for rapid rotation or one-time use of subdomains to hinder analysis by security researchers. In addition, before actually serving the exploit kit's landing page, potential victims are sent through an intermediary hop via 302-redirection; the victim is either 302-redirected to the landing page if this is a new victim, or sent to the desired non-malicious page. Another interesting feature of Nuclear is that various fields are Base64-encoded and passed to the malicious domain:
ce79suqo5euujfchllkmwwf.alumni-year-book[.]com/index.php?a=cmtpbWJwZ2Q9cWEmdGltZT0xNTA0MTUwNjU0NjExNjY2ODgyJnNyYz0zMjImc3VybD1vbmVoYWxseXUuY29tJnNwb3J0PTgwJmtleT0xOUZGM0EwJnN1cmk9L3RvcGljLzQ0NzU0LSUyNUUyJTI1OTklMjVBNS10aGUtb2ZmaWNpYWwtJTI1RTIlMjU5OSUyNUE1LW5hbXNvbmctY291cGxlLSUyNUUyJTI1OTklMjVBNS10aHJlYWQtJTI1RTIlMjU5OSUyNUE1Lw== --base64 decoded-- rkimbpgd=qa&time=1504150654611666882&src=322&surl=onehallyu.com&sport=80&key=19FF3A0&suri=/topic/44754-%25E2%2599%25A5-the-official-%25E2%2599%25A5-namsong-couple-%25E2%2599%25A5-thread-%25E2%2599%25A5/
<textarea id='DjwvKE' title='riaXWWvroLTqxkFhlrC' name='MTdak' cols='84' rows='7'>cbkKKLhgidYWpsNmcSUOJXFDrjdbvBIScsdmDKTlorIdjVQMnlaxJgAAPecLfkdIdGvgRPSFGbjqwACkmcivIjwYOYjuJNCmUySlNlrUMbKJbMuNpcJyMFWadGUnTXZnVsYjdQDqrOATbuhQXqPjvlJZseMLBmyXeXGInJyfYyzztgPQWeASQJsInFUprSMVqSddccJAbIzUoPlLuleLvWUjboYSHloxDRbgukhVthqixbtrNYDIuXsWMQpTBdQFvsmpcTLVBCDyexqrVtAQRsndJcxLGORBGDriXDEYFIXkGNbcG</textarea> <h2>QMx sKWhYGWu eZJGyZ aFnKgWwC xfgcc KmTs rOETlec oBWPHKZ yVrHkWnM AXkEQvfe oPeaHHcdWk kYVRPcClQO GmV gQl</h2> <h4>fQgQqXM gvllOkaC HknmN qvPFFFKKja TRNMxyHikW JYAb QOWuNSKTX mhzDYzV</h4>
The majority of the recent Nuclear EK infections were serving Teslacrypt Ransomware.
|Nuclear EK instances blocked|
|Nuclear EK server locations|
Magnitude Exploit Kit
far[.]capacitorsfordownhole[.]com min[.]closinglawyer[.]net deal[.]customdetonatorcapacitor[.]com road[.]detonationcapacitor[.]com home[.]autoqueen[.]net calls[.]hightempcaps[.]com add[.]hightempceramiccaps[.]com top[.]highfrequencycapacitors[.]com take[.]buriedbroadbandcapacitors[.]com pro[.]customdetonatorcapacitor[.]com
|Two-stage landing page|
|RIG EK instances blocked|
|RIG EK server locations|
Malware Payload: ClickFraud & Ransomware Exploit kits can serve a variety of different payloads, from Backdoors and Ransomware, to generic Downloaders. We’ve noted that the ultimate goal of many exploit kits is to monetize the infected system as much as possible, most commonly via Adfraud/ClickFraud. To support this goal, a very common payload for exploit kits is the Trojan Bedep, which can download additional malware and is used to perpetrate advertising fraud. In order to evade detection, Bedep is usually downloaded in an encrypted form and decrypted in memory as part of the infection process. Once decrypted, Bedep uses a domain generation algorithm (DGA) to communicate with its command and control servers. This communication is over normal HTTP, but messages are encrypted and then Base64 encoded, making analysis and detection more difficult. When used for advertising fraud, Bedep creates a hidden desktop (a desktop instance not visible to the end user), shown below, that is not normally accessible in Windows, then begins displaying loading web pages and advertisements to commit advertising fraud.
|Bedep Adfraud traffic & hidden desktop used to display Ads|
|Bedep displaying multiple Ads on hidden desktop|
Another popular payload for exploit kits is ransomware, such as CryptoLocker and CryptoWall. This type of ransomware encrypts files on an infected system, and then demands payment to decrypt the files. CryptoLocker was first discovered in 2013 and quickly became popular due to the use of asymmetric encryption to hold user’s files for ransom, which is expected to be paid in Bitcoins. Additionally, recent samples contact a command and control infrastructure hosted on TOR hidden servers via TOR proxy gateways, such as tor2web.org. ThreatLabZ recently analyzed a sample of CryptoWall 3.0, a derivative clone of CryptoLocker, and found the binaries were hosted with a “.jpg” extension to avoid raising suspicion. Some of the other features of this CryptoWall sample include:
Ransomware is an attractive payload for criminals since many individuals and companies with no or incomplete data backups are likely to pay the ransom to recover sensitive files. Since the victim’s files are already encrypted, there is little to fear from traditional anti-virus signatures or blocking command and control traffic. Finally, even if someone pays the ransom, there is no guarantee that any files will be decrypted. Multi-tasking example from a recent infection A recent development we’ve observed is using Bedep to install ransomware as well as committing advertising fraud. In the observed sample, Angler EK first installed Bedep on the compromised system, which immediately downloaded a piece of ransomware called “Threat Finder v2.4.” Like other popular ransomware, Threat Finder displays a “HELP_DECRYPT” message which instructs users to send 300 USD of Bitcoins to a Bitcoin wallet in order to decrypt files. The screenshot below shows both the Threat Finder ransom window and advertising fraud sessions captured by Fiddler. Installing both ransomware and committing advertising fraud potentially generates even more money for the perpetrators.
|Threat Finder v2.4, Bedep, dual infection|
|Trust us, we'll decrypt your files.... but only if you pay!|