Exploit kits are a class of threat that indiscriminately aims to compromise all users. Talos has continued to monitor this threat over time resulting in large scale research and even resulting in a large scale takedown. The focus of this investigation is on the tools and techniques being used to drive users to the exploit kits. This blog looks at the anatomy of a global malvertising campaign and how users interact with exploit kit gates, regardless of the sites they visit and the countries they reside.
Talos observed a large malvertising campaign affecting potentially millions of users visiting sites in North America, Europe, Asia Pac, and the Middle East. The research culminated in a joint effort with GoDaddy to mitigate the threat by taking back the registrant accounts used to host the activity, and taking down all applicable subdomains. This is yet another example of how organizations work together to stop threats affecting users around the globe. If you are a provider or online ad company that would like to work with Talos, please contact us.
Online advertising is a key component of the Internet today, especially for sites that provide content free of charge. In this blog we will be discussing a global malvertising campaign that has affected a wide array of websites. These websites don't bear responsibility for these malicious ads; it is just the nature of online advertising. As security organizations get better at identifying and shutting down malicious content, adversaries are going to continue to move and stay agile. The advantage to malicious advertising is if you visit the same site twice you are unlikely to receive the same content from an advertising perspective. This is where protections like ad blockers, browsers with advanced sandboxing technologies, and detection/prevention technologies are paramount to ensure protection from this type of content.
Gate OverviewGates are an initial redirection point for exploit kits. This is simply an intermediary between the initial redirection (i.e. compromised website/malicious ad) and the actual exploit kit server that does the probing, compromise, and payload delivery. This allows the adversary to quickly change the actual malicious server without having to change the initial redirection. Enabling a longer exploit kit campaign without having to constantly modify the site or ad that starts the infection chain. At any given time there are several gates that are actively pointing users to exploit kits among them are darkleech, pseudo darkleech, EITest, and ShadowGate / wordJS.
The exploit kits they point to can change and evolve over time. Let's look at EITest for example. This gate started by directing users to Angler. Then as Angler disappeared, it moved on to Neutrino, and most recently has been seen directing users to Rig. This is the case for most gates and is one of the key reasons Angler we believe to be currently inactive as the gates have moved on to other exploit kits since its disappearance in June. Some gates seem to favor either compromised websites or malicious ads. EITest seems to favor compromised sites and ShadowGate seems to focus on malicious ads.
Additionally, ShadowGate tends to go dark for random periods of time. It will then start again and continue directing traffic to exploit kits. Until the Angler disappearance it was exclusively used to direct users to Angler. Today that traffic is now bound for Neutrino EK instances.
Over the course of the last year ShadowGate has used various shadowed domains. This particular campaign has been active for at least the month of August and has used the following domains to shadow its activity:
hillarynixonclinton[.]comAs is typically the case with shadowed domains these are owned by what is likely a single user although it is associated with two different email addresses. These email addresses use the same username just with different providers (i.e. Gmail & Yahoo). These domains are also registered with GoDaddy, not surprising since it is the largest domain registrar. The gate itself is not overly sophisticated. When a user is actually served a redirection it will look similar to the following:
|ShadowGate Redirection Example|
|Neutrino Landing Page|
Online AdvertisingBefore we get into the specifics of how this particular malvertising campaign was operating let's discuss online advertising. Online advertising is a relatively complex subject. This particular discussion will focus on OpenX and its two ad servers, Revive, the third party open source option or OpenX Enterprise, the OpenX commercial option. OpenX is one of the largest online advertisers in the industry that uses a real-time bidding system. This basically means that in the time it takes for a browser to render the webpage advertisers are bidding on the available ad space and the highest bid wins. From OpenX website, they see more than 200 billion ad requests monthly. That's an extremely large footprint. One of the reasons is Revive. This ad server allows users to connect to multiple different ad streams including OpenX. Based on the syntax associated with this malvertising campaign it appears that most of the sites hosting the ads are using Revive or potentially OpenX Enterprise. As noted in their documentation (shown below) the default path for ads are using path /www/delivery/:
|Revive Configuration Sample|
Malvertising CampaignOne of the most interesting aspects of this particular malvertising campaign was its global reach. Malvertising campaigns are almost constantly ongoing and directing users to various threats. Talos discovered that this particular gate was active again and began gathering data on how users were being directed to the gate and where the traffic ended up. The easiest way to start is to walk through an example.
This infection run begins with a trip to a site related to precious metals and their values, goldseek[.]com. The user begins by browsing to the main URL associated with the site. The page loads as normal, but upon further analysis you can see that there is an ad generated from OpenX 2.8.7 as highlighted:
|Initial Ad GET Request|
|Malicious Ad Pointing to ShadowGate|
This is a typical example of how this malvertising campaign worked. Now the focus will be on where this malvertising campaign was seen and some variants found along the way.
Global CampaignAs Talos dug into this campaign the true global presence started to emerge. It's not uncommon to find malvertising campaigns hitting a wide variety of sites. What was interesting about this campaign is how many different languages and countries were potentially impacted. This all began by noticing the traffic on precious metal commodity sites, as the example above walks through, but quickly it started to expand. Talos began to find the redirection appearing on a wide range of sites. Let's start with several Chinese sites that are related to Information Technology. First, there was 51cto[.]com, a leading IT technology site in China. Talos was able to find several instances of this campaign on various pages spread throughout the site.
|Image showing Ad Request and Response with ShadowGate|
As we continued to investigate we started noticing a lot of .co.nz TLDs serving ads. One such example was particularly interesting because it added SSL to the mix. The site in question was theregister[.]co[.]nz, which is a news site for the retail industry in New Zealand. Initially it was unclear where the initial infection point came from since it appeared the redirection just appeared out of nowhere. As shown below you can see the DNS request for wood.hillarynixonclinton[.]net with some SSL preceding it.
|Encrypted Ad Traffic Capture|
|Decoded SSL Traffic Showing ShadowGate iFrame Injection|
|Variable Based ShadowGate|
Once the investigation was complete Talos had found a sophisticated, global, diverse malvertising campaign that potentially could have impacted millions of users based on the reach and popularity of the sites they impacted. It widely affected Europe, Asia Pac, Middle East, and United States. This was a global attack indiscriminately compromising users around the world.
Upon completion of the research Cisco Talos notified GoDaddy of the registered domains that were hosting ShadowGate. GoDaddy quickly responded and was able to mitigate the threat successfully. As of the publishing of this blog the associated malvertising campaign appears to have been successfully shut down and the malicious activity thwarted. Unfortunately, as this is using domain shadowing it's likely the campaign will only remain dormant for a while, but until then users are protected from this specific threat.
Another ShadowGate CampaignShortly after working with GoDaddy to shut down the domains associated with the malvertising campaign a second campaign that was running on different IP space using a different set of registrant accounts was discovered. This campaign was heavily targeting Europe with a large amount of Italian, Spanish, Bulgarian, Swedish, and Slovakian sites hosting the malicious ads. There were also several Israeli sites seen serving them. One thing of note is that the URL structure changed shortly after the initial take down. The syntax now had a couple of subtle variations:
ConclusionThis is the reason malvertising is such an attractive avenue for the bad guys. This campaign was spread all over the world and hit sites related to popular culture, weapons, universities, IT, retail, news, pornography, and many others. This is the challenge we face in 2016 and beyond. How do you balance the need for companies to make revenue offering their online content with the risks associated with those same revenue streams?
As the battle between websites and ad blockers continues to escalate, this is an issue that will have to be dealt with eventually. The other challenge with this type of activity is that the ad itself appears to come from the same domain as the websites so if you visit example.com it's likely the ad originated from ads.example.com or some other variant. It's trivial to set up an ad server to host ads on your site. It is increasingly difficult to determine where the malicious content resides, since ads move sites rapidly.
Users aren't left with a lot of options related to this threat. Ad blockers are an option, but as we've seen some sites are already taking a stand against ad blockers because they eliminate a primary revenue stream. In the case of Neutrino, users can simply uninstall Adobe Flash from their systems entirely. This is yet another reason to remove a plugin that is increasingly becoming obsolete in regards to rendering the images, games, and videos on the Internet today.
This is a challenge that is going to increase in the near term as the ways that content is delivered to end users moves even further into the online space. As this continues those sources are going to lean even more heavily on ads to support that information. This pushes people to either not support the organizations providing you the information, take your chances with potentially seeing malicious content via these ads, or resort to sites that sit behind pay walls requiring monthly fees to extract the data. Welcome to the information age in 2016 and beyond, don't forget those ad blockers.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.