The threat landscape is ever changing and adversaries are always working to find more efficient ways to compromise users. One of the many ways that users are driven to malicious content is through malicious advertisements known as malvertising. Talos has been monitoring several large-scale malvertising campaigns, how the initial exploit occur, and the payloads that are downloaded as a result.
In a normal ad campaign, ad agencies buy ad space on publications and other trafficked websites, and the ad agency then tries to get those ads served to users that fit some criteria in the hopes that users click on the ads, which take the user to (for example) a product page. The aggregate of serving ads for a particular product is referred to as a 'campaign.' A malvertising campaign is similar. Ad space is purchased from an agency, users satisfying particular criteria are targeted. It may be that the content of the mal-ad itself can infect a user's computer, or it may be that a user who clicks on the enticing mal-ad is taken somewhere which then infects the user's computer. The initial infection will often download another payload.
There are plenty of reasons why adversaries would leverage malvertising. Adversaries who want to infect user machines through the web have a fundamental problem: how do you get users to come to you? One solution to this is to infect a popular website. Once a popular site is infected, a hacker has the opportunity to try to infect every user as they come to the site. There are several complications with this approach. The main one is that a popular site will often have an IT staff dedicated to detecting and cleaning infections so remaining undetected may be difficult or short-lived.
In contrast to compromising a major website and remaining undetected by its owners in order to get access to the website's users, it is far easier to buy ad space that appears on a popular site. By buying an ad on such a site a hacker can avoid the difficulty of hacking and hiding, while getting access to a site's users, for very little money. In addition, the bread and butter of an ad agency is to target user that satisfy a particular criteria (which include information like browser type, version, and plugins) that are likely to click on an ad, further making ads an attractive vector to infect users. An added benefit for the adversaries is that it is more difficult for security researchers to notice mal-ads because there is an ad agency involved in the exploit process. Using malicious ads also allows the threat to be spread across multiple web sites at a pseudo random interval so even if a compromise is noticed on one site, it could easily pop up on a different, unrelated website next.
The CampaignIn October 2015 Talos found a particularly interesting ad: it redirected users to various exploit kits, which in turn delivered various payloads. The majority of payloads were a ransomware variant. Below is the actual ad that was shown to the end user.
The basic operation we saw repeatedly throughout this campaign was a script being retrieved from the hard coded IP of 22.214.171.124 named cookie.php. What was different was the subfolder in which it lived. Below are a couple of examples of the different folder structures we saw hosting the cookie.php file:
One other thing to note is the use of position. They are consistently using [position:absolute;left:-10000px;] this will effectively render the iframe off screen. This particular position will ensure the iframe will load about 2 feet to the left of the left edge of the screen. Ensuring that the user never actually sees the malicious content and instead will just be directed to an exploit kit and eventually compromised.
PayloadsAlthough there was a variety of payloads downloaded by the exploit kits, including trojans, the majority of the payloads were some variant of ransomware. Different versions seen included Teslacrypt and Cryptowall.
Among the payloads there was one outlier that generated some odd HTTP traffic. While working through the network traffic the following popped out:
It turned out to be another malware downloader, with some interesting characteristics. The first thing we noticed was that it was calling out to a hard coded IP address (126.96.36.199) and that these HTTP codes were related to the C2 activity for the payload. Upon further investigation it was determined that the payload was creating a 64-bit XOR value based on a combination of the following: volume name, serial number, username, and computer name. This value was then used to create a copy of the file in a log folder and to start itself as a service. After the service was created successfully the original executable was deleted from the file system. It then created a pair of mutex values of random numbers that are used to determine the frequency and timing of the communication between the infected system and the C2 server. Once these were established the C2 communication began.
The host is always using a random string appended with .php in the request and is looking for the HTTP code the server is responding. If a 503 code is returned the activity stops immediately. Otherwise the system is doing a couple checks, the first being the end of the request. The request needs to end with the hex value of 0x0D0A0D0A, as shown below.
The use of malware downloader has become increasingly common in exploit kits, as it allows the users to deliver various payloads without having to change the payload delivered by the exploit kit itself. What makes this particular downloader interesting was the use of HTTP codes in the actual communication, including taking advantage of 404 errors to deliver information that was used by the infected system.
Malvertising Use CasesOne of the more interesting aspects of this story is how users are being infected. There are multiple ways that users can interact with malvertising such as simply visiting a site that serves ads or clicking on a link in a page of search results.
During our investigation we found examples of both and we illustrate a couple below. Unsurprisingly, sites that purport to allow users to illegally access copyrighted material for free are often used. We have seen music and video streaming sites, as well as file sharing sites, serving malicious ads.
Anime Streaming to Exploit KitLet's first walk through an instance where a user is looking for a popular anime, Naruto Shippuden. The user started with a simple web search for the series which led them to a free anime streaming site. They then chose a specific episode to watch and began streaming. While the streaming video began an ad from adcash.com was being served. This ad was a redirection to the website gamingclub350.com which via the same methods described above directed the user to an Angler exploit kit landing page. Below is a graphic detailing the behavior:
Movie Streaming to Exploit KitAnother example we witnessed, this time using a site for movie streaming, similarly began with a Google search for a streaming movie and ended up with something different. This begins, just like the previous example, with a web search. In this particular case the user was searching for a movie "kiss me" from 2011.
Sports Streaming to Exploit KitDuring the investigation we came across multiple examples of people trying to stream sports being redirected to exploit kits via malvertising as well. The basic path would involve a user starting on some large aggregate sports streaming site. They would then try and view a specific stream which would eventually redirect them to a site like delta.xyz for the actual streaming. When the stream started the malicious ad would be delivered which would load the casino themed advertisement with an exploit kit iframe. All of the examples related to sports streaming ended with the user being delivered Angler, but it easily could also have been redirecting to Rig as well.
IOC'sAngler IP Addresses
Malvertising campaign IOCs
Online Advertising ChallengesAlthough the majority of the activity associated with this particular malvertising campaign was tied to streaming, there are other examples where larger sites are impacted. So far, 2016 has seen a marked increase in malvertising being used as an infection vector for exploit kits. The ease of using ad agencies to select users who may be susceptible to an exploit, and present them with a mal-ad makes malvertising an attractive infection vector. It's easy, reliable, and ensures that users will be largely randomly redirected to the various exploit kits. In this campaign you can see how one malvertised ad can be used to redirect into multiple different exploit kits. This underscores the challenges that we face related to online malicious advertising.
Online advertising is a key revenue stream for many corporations and sites. However, adversaries have realized this and have increasingly been leveraging it for nefarious activity. It's a challenge for the advertising networks to stay ahead of as well. Even if an advertising network is looking for malicious activity, and scansall the ads it serves, it won't find any malicious content. Everything is orchestrated through multiple tiers of redirection, and the landing page could be benign at the time the ad is scanned and approved.
There are also other examples where the bad guys have managed to compromise an ad server along the redirection path and injectmalicious content. To make matters worse, major sites are starting to require adblock be disabled. Ad blockers are an effective way to prevent this type of activity from occurring, but also impact a publisher's ad revenue. Although a publisher can limit access to its site based on the use of an adblocker, a publisher cannot guarantee that the ads served will not be malicious. This is going to be a major battle in the near future as more sites move to require ads be shown and more adversaries take advantage of this opportunity..
New Business ModelAs we see here malicious advertisements are increasing in 2016 and it could become an emerging area for those looking to profit from compromise, without compromising web sites directly. It is a strong possibility that we will see Malvertising as a Service (MaaS) emerge in 2016 and beyond. This may, in fact, be an example of just that, as these mal-ads directed users to both Angler & Rig exploit kits.
There may be incentives for bad guys to specialize in just this type of redirection service by building a reputation for getting ads hosted on major sites that will direct users to the landing page of the highest bidder. Combined with the ad fraud, which is already common, and there is big potential for revenue for anyone who can act as a conduit (connecting users to malicious content via ads) similar to what the online advertising industry does today.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.