Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits
Mandiant
Written by: Zain Gardezi
Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website. Malvertisements are a type of “drive-by” threat that tend to result in users being infected with malware for simply visiting a website. The victims of this threat are often compromised when the malvertisement directs them to an exploit kit (EK) landing page. Depending on the applications running on the user’s system, the EK can successfully load malware into a system without user consent and without tipping the victim off that something suspicious is happening.
It is not uncommon for popular ad servers to redirect to affiliate networks – organizations that forward traffic to servers supporting other malicious domains, which are referred to as “Cushion Servers” or “Shadow Servers”. Under control of EK actors, some cushion servers use HTTP redirect protocols such as 301/302/303 etc., or simply iframe redirects. In other cases the visitor receives pages containing a script that the attacker has injected. This is often the consequence of an unmitigated vulnerability that attackers may exploit to their advantage. Some campaigns use the domain shadowing technique to camouflage rogue ad servers as legitimate advertisers.
In this blog, we will look into some of the prominent malvertising campaigns that were active during the last four months, as well as the cushion servers related to different exploit kits.
Magnitude EK
As seen in Figure 1, Magnitude EK is a popular exploit kit in the APAC region. Throughout the final quarter of 2016 and first month of 2017, FireEye Dynamic Threat Intelligence (DTI) observed consistent Magnitude EK hits from several customers, the majority of whom reside in the APAC region.
Figure 1: Zone distribution for Magnitude EK activity as seen on DTI in last 4 months
In all cases, Magnitude EK affected web servers with the following header information:
“Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6”.
A successful Magnitude EK infection follows the stages seen in Figure 2.
Figure 2: Typical path for malvertising to Magnitude EK
Figure 3: TLD distribution of first layer domains with injected redirect script
Throughout the last four months, different malvertising campaigns have been associated with a group of first layer compromise pages (the TLD distribution is seen in Figure 3), which we will discuss based on common indicators. These first layer compromise pages use the same injected script used for redirection to Magnitude EK. Figure 4 shows a typical injected script used in these campaigns.
Figure 4: Typical malicious injected script used for redirection to Magnitude domains
In all observed instances, the injected script only appears when the site is being loaded through the advertisement (many of which have high Alexa ranking, as we will further explain), and not when those URLs are accessed directly.
FireEye notifications have resulted in many of these campaigns being taken down, which are mentioned in their respective sections.
Through Propeller Ad Networks
Table 1 shows the domains we observed that acted as first layer compromise domains with the injected script for redirection to Magnitude EK being spread from the advertisers, with domains hosted on the Webzilla B.V domain hosting service.
Table 1: Domains with injected redirect script involved in this campaign
These domains appear to be from the same actor due to the similar nature of the URI and domain patterns, and the switching to new domains after one is used a certain number of times. The current IP involved in hosting the active domains is 37.130.229.108. Domains seen in Table 1 were redirected by the following advertisers mentioned in Table 2.
Table 2: Ads used in this campaign
A typical URI seen in this campaign appears as:
btcpaying[.]uk/?reg=asia&traff=propeller
On rare occasions the same campaign also used advertiser poptm[.]com hosted on Cloudflare, but for the most part the ad networks listed in Table 2 were used.
The Bill-Finance and Flash Games Gates
Some malvertisements have been leading users to Flash game websites. In these instances, domains containing the word ‘finance’ in their domain name are being used as the first layer of compromise for the injected script, which redirects to domains hosting Magnitude EK. These Flash sites are registered with ‘AlpNames Limited’ registrar and have been hosted using a PlusServer AG server ISP in Germany.
Registrant information for all of these sites is similar. The registrant name is some variation of the name ‘Bill’ and ‘Guil’ (e.g ‘Billii’, ‘Billy’ etc.). Registrant numbers have consistently been +1.2285161853 or +1.7137015286.
Table 3 shows the names of these Flash game websites and Table 4 shows their malvertising information.
Table 3: Domains with injected redirect script involved in this campaign
Table 4: Ads used in this campaign
The ads from click.seodollars[.]com appear to be using the domain shadowing technique, while all others are legitimate advertisers.
AlpNames Limited registrar has taken down domains associated with this campaign following notification by FireEye.
TTA Adults Limited Using Adcash Ad Group
This category of first layer of compromise is for domains registered under [.]organisation: TTA ADULTS LIMITED. In all instances, the registrant information is as follows:
Registrant Name: Andrew Musgrove
Registrant [.]organization: TTA ADULTS LIMITED
Registrant Street: FOURTH AVENUE UNIT 1B FOCUS 4
Registrant City: LETCHWORTH
Registrant State/Province: Hertfordshire
Registrant Postal Code: SG6 2TU
Registrant Country: GB
Registrant Phone: +44.7538421640
Registrant Phone Ext:
Registrant Fax: Registrant Fax Ext:
Registrant Email: musgroveandrew1@gmail[.]com
Domains with this registry information are being redirected by advertisers belonging to Adcash group.
Table 5 shows the names of these campaign domains and Table 6 shows their malvertising information.
Table 5: Domains with injected redirect script involved in this campaign
Table 6: Ads used in this campaign
Adcash has closed domain accounts associated with this group following notification from FireEye.
China Coast
This category of first layer of compromise is for domains registered under [.]organisation: China Coast. In all cases, the registrant information is as follows:
Registrant Name: Goran L Deelen
Registrant [.]organization: China Coast
Registrant Street: Davisstraat 27
Registrant City: Amsterdam
Registrant State/Province: Noord-Holland
Registrant Postal Code: 1057 TG
Registrant Country: NL Registrant Phone: +31.645495613
Registrant Phone Ext:
Registrant Fax: Registrant Fax Ext:
Registrant Email: antoni309233@gmail[.]com
The malvertisements can be further categorized by different domain types. Some of the domain names with traffic from Taiwan are redirected by ads.adamoads[.]com (a Chinese advertising site). Additional details are shown in Table 7.
Table 7: Domains and ad services involved in this campaign
Some of the malvertisements in this campaign are redirected through other ad sites, including:
- adexchangeprediction[.]com has been observerd to be redirected from serve.popads[.]net.
- n152adserv[.]com is redirected from engine.phn.doublepimp[.]com
The following rogue ad subdomains in this campaign use the domain shadowing technique:
- syndication.exoclick[.]com
- track.reacheffect[.]com
Table 8 shows other malvertisement cases for Magnitude EK.
Table 8: Other domains and ad services involved in redirection to Magnitude EK
Rig EK
Rig EK emerged as the most prolific exploit kit in the latter half of 2016. Its use in campaigns such as EITest Gate, Pseudo-Darkleech and Afraid Gate is well documented, all of which involve scripts being injected directly within legitimate sites. However, going with the theme of this blog, we will be focusing on noteworthy malvertising campaigns involving redirects to Rig EK domains.
Casino Theme Ad Domains
From the final quarter of 2016 to the start of 2017, we have observed [.]info and [.]pw TLD domains acting as intermediate redirect domains invoked via legitimate advertisers, which eventually lead to Rig EK domains. These domains usually have malicious iframes injected into the content for redirection to Rig EK domains. Figure 5 shows the normal workflow of the campaign.
Figure 5: Ad networks hosted on Google Cloud ISP
Figure 6 show how the ad loads casino-themed domains via 302 redirect. The ad service loads these sites, which are acting as shadow servers to redirect users further to exploit kits, as seen in Figure 7 and Figure 8.
Figure 6: 302 redirect to holdem-pokers.info
Figure 7: Malicious iframe from 1st redirect domain to .pw domain hosted on domain of 2nd IP
Figure 8: Malicious iframe from 2nd layer redirect domain loading Rig EK
The most recent whois information for domains related to this campaign is as follows:
Registrant Name: sergei sergeev
Registrant organization: Private Person
Registrant Street: novoselov 44
Registrant City: ekaterinburg
Registrant State/Province: sverdlovskaya
Registrant Postal Code: 140530
Registrant Country: RU
Registrant Phone: +7.9868847677
Registrant Email: fobos@mail.ru
Admin Name: sergei sergeev
Admin [.]organization: Private Person
Admin Street: novoselov 44
Admin City: moscow
Admin State/Province: moscow
Admin Postal Code: 140530
Admin Country: RU
Admin Phone: +7.9868847677
The whois information slightly varies in older domains registered for the same campaign, but the organization name, state and country remain the same.
Domains are currently active on IP 78.46.232.211 (first redirect after legitimate ad) and 88.198.220.122 (second redirect after legitimate ad). Table 9 shows a complete list of the involved domains.
Table 9: Casino themed domains involved as shadow servers in this campaign
Table 10: Ads used in this campaign
All ad service belong to AdCash ad group, which stopped providing services to these domains in February 2017.
Later, the same campaign switched to the following new domains:
lifeerotic6[.]info; lifeerotic6[.]pw; spoutgame22[.]info; spoutgame22[.]pw; lifeerotic[.]info; 100p2[.]pw; 100p0[.]pw; sproutgame[.]info; sproutgames[.]info.
The IP involved with these new domains (other than two mentioned earlier) is 78.46.232.214. The new whois information is as follows:
Registrant Name: sergei sergeev
Registrant Organization: Private Person
Registrant Street: 64 Vicar Lane
Registrant City: SAPEY
Registrant State/Province: COMMON
Registrant Postal Code: WR6 1JY
Registrant Country: GB
Registrant Phone: +1.3128595849
Registrant Fax:
Registrant Email: fobos@mail.ru
This actor’s new set of domains is now leveraging popular ad service popcash[.]net, which FireEye has notified.
Sundown EK
The following are some of the most prominent malvertising campaigns that are currently active for Sundown EK.
Neighboring IPs Redirected From Different Set of Ad Networks
This campaign has been active using domains hosted on 217.23.13.111 and 217.23.13.110. Domains hosted on both neighboring addresses have their whois information protected by Whois Guard. There are similarities in domain names and each group of domains under these IP addresses (with a Netherlands geolocation).
In these instances, legitimate advertisers are redirected to one of the domains hosted on these IPs, which further redirects to a Sundown EK domain. Figure 9 and Figure 10 show how an ad redirects to intermediary domains hosting a malicious iframe to a Sundown EK landing page.
Figure 9: poptm[.]com redirecting to gomedia[.]online hosted on IP 217.23.13.110
Figure 10: Redirect domain leading an iframe to Sundown EK
There are multiple ad services that are currently redirecting to these domains, as seen in Table 11.
Table 11: Intermediary domains redirecting to Sundown EK and their advertisers seen in this domain
Figure 11 and Figure 12 show details of domains hosted on each neighboring IP involved in this campaign.
Figure 11: Domains with iframe load to Sundown EK hosted on IP 217.23.13.111
Figure 12: Domains with iframe load to Sundown EK hosted on IP 217.23.13.110
Leveraging popcash[.]net
A group of redirect domains has been leveraging advertiser popcash[.]net (Alexa #165) for 302/303 redirects to Sundown EK landing pages. In these instances, the advertiser does not directly lead to a Sundown EK domain, but leads them via a chain of two domains involved in the campaign.
Table 12 shows domains involved in the campaign where popcash[.]net usually leads to a domain via 303 redirect, which further leads to second domain (typically via an iframe or another 303 redirect) and eventually redirects users to a Sundown EK domain.
Table 12: List of shadow server domains involved in this campaign
These domains use two IPs, either: 23.238.19.56 or 173.208.245.114.
A typical example of such redirection can be seen in Figure 13 and Figure 14.
Figure 13: Chain of two domains being redirected from popcash[.]net
Figure 14: Second layer of Shadow server domain redirects to Sundown EK landing page
popcash[.]net cleaned the malicious ads after notification.
Through Propeller Ad Networks
This campaign is related to group of domains with the following whois information:
Registrant Name: elise wickson
Registrant [.]organization: None
Registrant Street: 4-4025 Sladeview Crescent
Registrant City: mississauga
Registrant State/Province: QC
Registrant Postal Code: L6L 5Y1
Registrant Country: CA
Registrant Phone: +1.5148852225
Registrant Name: bruno calisto
Registrant [.]organization: None
Registrant Street: 8807 PIERRE-BOUCHER
Registrant City: laval
Registrant State/Province: QC
Registrant Postal Code: H7A3R2
Registrant Country: CA
Registrant Phone: +1.5148859965
These domains are being used as shadow servers to Sundown EK domains after being loaded via legitimate ad sites hosted on Webzilla B.V hosting services. Table 13 shows a complete list of these domains.
Table 13: Domains involved in this campaign
Table 14: Ads involved in redirection for this campaign
Other malvertisement cases for Sundown EK are shown in Table 15.
Table 15: Other domains and ad services involved in redirection to Sundown EK
Terror EK
Terror EK is similar to Sundown EK. It has been consistently leveraging advertiser serve.popads[.]net to redirect traffic to domains controlled by it. The advertiser is used to redirect traffic to a domain hosted on IP 144.217.84.234, which is further redirected to domains hosted on 144.217.84.235 / 94.74.81.91 / 94.74.81.8.
Earlier instances against domains hosted on 149.202.164.86 were seen last year in December by our colleagues at Trustwave and Malwarebytes.
In January 2017, new domain names appeared in the campaign hosted on a different IP location. However, as observed in the previous case, Terror EK continued the campaign to download ccminer payloads.
Figure 15 and Figure 16 show ad services redirecting to domain onlinesalespromarketing[.]com (hosted on 144.217.84.234), which further redirects to a landing page domain onlinesalesproaffiliate4[.]us.
Figure 15: serve.popads[.]net redirect to shadow server
Figure 16: Shadow server redirect to Terror EK landing page
Table 16 shows a list of new domains that use the above mentioned IP’s for hosting landing page:
Table 16: New domains used by Terror EK after first campaign
Conclusion
Malvertising and exploit kits continue to be a significant threat to regular users. While we strongly recommend using ad blockers for all web browsers, we understand that it’s not always possible. For that reason, the best approach is to always keep your web browsers and applications fully updated. Also, regularly check your browser to see what plugins are being used and disable them if they are not necessary.
In all of the examples we discussed, FireEye customers were protected from infection by our multi-flow and multi-vector detection engine.
Update (March 17, 2017): We would like to thank PopCash, Adcash, Propeller Ads, AlpNames Limited and Cloudflare for closing down rogue accounts linked to shadow servers that were discussed in this blog.