Malvertising, or "malicious advertising," is not a new threat, and just a few weeks into 2016 ThreatLabZ has observed a malvertising campaign injecting iframes into banner advertisements that lead to Angler Exploit Kit. Surprisingly, the Angler operators took some vacation for the New Year, as noted by F-Secure, and have only recently resumed operations, so we were surprised to see a malvertising campaign so soon after their break.
This post will detail aspects of this campaign, and there is a reference list of indicators at the end of this post.
OpenAds, now called OpenX or Revive Adserver, is an advertisement platform with a long history and is still quite popular. From a high level, when a user browses to a website using OpenAds for serving advertisements, small code stubs make requests to the OpenAds server, which decides which banner advertisement to run and sends the banner ad plus some tracking code back to the page. The banner advertisements usually rotate on some interval, and a single ad server can serve and control advertisements for multiple domains.
Unfortuantely, the nature of banner advertisements makes them highly lucrative for criminal groups since injecting malicious content into an advertisement can impact hundreds or thousands of sites. This particular campaign impacted multiple OpenAds/OpenX servers which affected hundreds of domains. Intermediary sites were used as an additional hop prior to serving the Angler landing page, and only six second-level intermediary domains were observed, each using dozens of different subdomains and URIs. All six second-level intermediary domains share music-themed names:
|Fig 1: Hits on Intermediary Domain IPs|
The infection cycle starts with a malicious iframe injected in the banner advertisement code that references an intermediary URL. The injected iframe loads transparently, and the intermediary domain server will respond in one of the following three ways:
If the intermediary domain serves an iframe, the Angler landing page is loaded transparently. A more complete overview of the infection cycle is shown below in Figure 2.
|Fig 2: Overview of Infection Cycle|
We're calling the intermediary domain an "iframe trampoline" since the server may not respond with another iframe and can simply bounce the user out of the infection cycle with benign content.
Looking at a full infection cycle in Figure 3, the benign domain 'giftsnideas.com' loads a banner ad with OpenX which contains an injected iframe to the trampoline domain. The trampoline domain's iframe finally sends the user to the Angler landing page. In this instance, the exploit failed, so no further content was loaded.
|Fig 3: Relevant URLs for Exploit Cycle|
Banner advertisement code on OpenAds/OpenX is very similar between servers. Figure 4 shows the injected iframe, which is simply inserted into the legitimate banner advertisement code.
|Fig 4: Advertisement with Injected iframe|
|Fig 5: Trampoline Header and Response|
The Angler landing page is exactly what you'd expect and although there have been some recent changes, we won't rehash Angler in this post.
|Fig 6: Angler Landing Page|
Malvertising continues to be a highly effective means of targeting and compromising a large number of victims, and we expect this trend to continue for 2016. We noted that many of the victim sites we observed in this campaign were radio stations and auto enthusiast forums. Domains in these two groups are owned by Saga Communications and Autoforums.com, so it's likely that each uses a small number of ad servers to power the entire network of sites. ThreatLabZ will continue to monitor this campaign.
|# Hits||Second Level Domain||Registrar||Registrant|
188.8.131.52 - IT-Grad nets - AS48096
184.108.40.206 - IT-Grad nets - AS48096
Domain Name: MUSIK4LITTLEFINGERS.COM
Registry Domain ID: 1916653940_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2015-04-05T16:22:42Z
Creation Date: 2015-04-05T16:22:42Z
Registrar Registration Expiration Date: 2018-04-05T16:22:42Z
Registrant Name: Mark Lippman
Registrant Street: 4 Cloverbrooke Court
Registrant City: Potomic
Registrant State/Province: Maryland
Registrant Postal Code: 20854
Registrant Country: US
Registrant Phone: +1.2404294083
Registrant Phone Ext:
Registrant Fax: +1.1
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Mark Lippman
Admin Street: 4 Cloverbrooke Court
Admin City: Potomic
Admin State/Province: Maryland
Admin Postal Code: 20854
Admin Country: US
Admin Phone: +1.2404294083
Admin Phone Ext:
Admin Fax: +1.1
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Mark Lippman
Tech Street: 4 Cloverbrooke Court
Tech City: Potomic
Tech State/Province: Maryland
Tech Postal Code: 20854
Tech Country: US
Tech Phone: +1.2404294083
Tech Phone Ext:
Tech Fax: +1.1
Tech Fax Ext:
Tech Email: [email protected]
Name Server: NS67.DOMAINCONTROL.COM
Name Server: NS68.DOMAINCONTROL.COM