Terror Exploit Kit via Malvertising campaign
Terror Exploit Kit (EK) is one of the newer EKs that came to the scene in early 2017 and was mentioned in our Winter 2017 quarterly EK roundup where it was mainly installing ccminer Bitcoin mining applications. Terror EK activity has been low throughout the year but we are starting to see an uptick in the activity delivered via malvertising campaigns in past two months.
The graph below shows Terror EK activity for past two months.
Figure 1: Terror EK activity between September 1 and October 23, 2017.
The image below shows recent Terror EK cycles from this month.
Figure 2: Terror Exploit Kit Cycles
In this blog, we will look at the Terror EK flow and a few changes in the exploit kit that we observed in the recent campaign.
Terror EK redirects are seen in the form of fake advertisement pop-ups; one such advertisement is shown below.
Figure 3: Terror EK malvertisement website.
The malvertising campaigns have themes like '20 minute fat loss', 'quit smoking' and 'science'. Few of the redirects were from Propeller Ads media network, through their onclkds[.]net domain.
When a request is sent to the .php page, it responds with a HTTP 302 redirect to Terror EK Landing page, shown below.
Figure 7: CVE-2016-0189 exploit on Terror EK landing page.
Figure 9: CVE-2014-6332 exploit on Terror EK landing page.
The CVEs observed on the landing page are CVE-2016-0189 and CVE-2014-6332. At the end of the landing page, there is a call to another URL which tries to load three flash exploits.
The call to the URL can be seen below.
Figure 10: URL redirect to Flash exploit website.
On the flash exploit URL shown in Figure 10, we will see three calls for SWF files.
Figure 11: Calls to three flash payloads from Flash exploit webpage.
We have seen changes in the Flash exploit payloads seen recently; notice the different file sizes in the two cycles below.
Figure 12: Flash payload from Terror EK Cycle 1.
Figure 13: Flash payload from Terror EK Cycle 2.
In the Terror EK cycle #1 shown in Figure 12, we could see the fingerprinting attempt in the Flash payload:
Figure 14: Decompiled Flash payload showing fingerprinting code.
The Terror EK actors have now started protecting their SWF files from decompilers using the "DComSoft SWF protector," as seen below.
Figure 15: Flash payload showing banner of the tool used to encrypt and protect Flash payload.
The malware payload that is getting served in these recent Terror EK malvertising chains belongs to the Smoke Loader downloader Trojan family. We observed that Smoke Loader payload with MD5 hash of "6ea344d0db80ab6e5cabdc9dcecd5ad4" was served for an active Terror EK cycle earlier this week the most recent payload has MD5 hash of 'b23745bcd2937b9cfaf6a60ca72d3d67'.
The recent uptick in Terror EK activity via malvertising campaigns suggests that the Terror EK authors are actively updating the kit by adding new obfuscation layers, exploit and malware payloads. Their goal is for the kit to evade detection by security engines and make the attacks more effective. Zscaler ThreatLabZ is actively monitoring Terror EK activity to ensure that Zscaler customers are protected.
Indicators of Compromise (IOCs):
MD5 hashes (Smoke Loader and SWF payloads)