Malvertising, Exploit Kits, ClickFraud & Ransomware: A thriving underground economy

Malvertising
Malvertising involves using malicious online advertisements as a means to serve malware payloads to unsuspecting users. Cybercriminals leverage compromised advertising networks to serve malicious advertisements on legitimate websites which subsequently infect the visitors. This has become one of the most successful vectors of malware delivery for cybercriminals. Malvertising campaigns in most cases will involve a malicious advertisement redirecting the user to an Exploit Kit (EK) landing page.

Exploit Kits
Exploit Kits are web-based frameworks that attempt to exploit browser application plugins for known vulnerabilities. Upon successful exploitation, the EK will silently download and install a malware payload on the victim machine. The entire exploit cycle is completely hidden from the end user.

The Exploit Kit infection cycle typically moves through three distinct stages:

Stage 1 - Loading stage: This stage involves the initial delivery mechanism which causes the user to visit a compromised website or advertisement. This compromised website then leads the user to the actual Exploit Kit landing page which may involve a series of web redirects.

The initial delivery vector can be any of the following:

• Spam & phishing e-mail
• Social Networking sites
• SEO poisoning
• Compromised website
• Malvertising on legitimate sites

It is important to note that malvertising is one of the most dangerous and extremely successful initial delivery mechanism here as even the most cautious user is susceptible to this attack while visiting a perfectly legitimate website. In most other cases, a well informed user can avoid the attack by carefully inspecting the link in an e-mail or search results.

Stage 2 - Landing Stage: During this stage, the victim machine visits the actual EK hosting site and the exploit cycle is started. The EK code will attempt to exploit the identified vulnerable plugins by downloading the relevant exploit payloads.

Upon successful exploitation, the EK will lead to the download of the malware payload as configured by the EK operator. The entire exploit cycle may not require any user intervention in most cases, which greatly increases the success rates.

Stage 3 - Malware Payload Delivery: This is the final stage of the Exlpoit Kit infection cycle where the malware executable is downloaded and installed on the victim machine. This is usually achieved, after successful exploitation, by one of the EK payloads that was served during the landing stage.

The EK operators strive to ensure that the EK code, exploit payloads and the end malware payloads have very low to zero antivirus detection. Over the past few years, EK authors have implemented multiple new features to improve the effectiveness & infection success rates:

• Anti-VM and Anti-Analysis features
• Detection of known antivirus drivers
• Multiple levels of highly obfuscated JavaScript code
• Dynamic construction of exploit payload URLs only when a vulnerable plugin is found
• Short lived exploit payload URLs often restricted to one visit per IP address
• Obfuscated and repackaged exploit payloads
• Repackaged malware payloads

Recent Malvertising & EK campaigns
After last year’s infamous “Kyle & Stan” malvertising campaign that affected Google, Yahoo, YouTube and multiple other popular websites, this year has been no different. We have seen a malvertising campaign leading to a zero day Flash Exploit payload via the Angler EK to start of the year, followed by a Malvertising campaign targeting European Transit users. There have been numerous other instances of Malvertising which involved popular sites like huffingtonpost.com, yahoo.com, zillow.com and we only expect this trend to continue throughout the year.

Malvertising attempts blocked [Last 7 days]

Users targeted globally by Malvertising [Last 7 days]

Advanced techniques to evade detection
We have also noticed some new techniques being introduced in the Malvertising & EK exploit chain this year to further evade detection by URL reputation & network scanners:

• 302 cushioning, or a 'cushion attack', is used to redirect victims to malicious sites via simple HTTP 302 redirects rather than traditional techniques like iframes or JavaScript redirects which are easy to detect by network IDS/IPS devices.
• Domain Shadowing, involves compromising the parent domain and creating multiple sub-domains that point to malicious code.

Please refer to our most recent write-up describing it in more detail.

A typical Malvertising infection cycle would involve following stages:

Malvertising infection cycle

Cybercrime Infrastructure & Business Model

Threat actors involved at different stages of the infection cycles are part of a thriving Cybercrime infrastructure & business model that is all interconnected as seen below:

Cybercrime Infrastructure & Business Model

The top Exploit Kits that we have seen involved in various Malvertising campaigns in 2015 are:

• Angler
• Nuclear
• Magnitude
• RIG

Angler Exploit Kit

Angler Exploit Kit is one of the most prevalent exploit kits in existence today and has many similarities with other exploit kits. Victims are usually served Angler landing pages via compromised websites where an iframe or script has been injected into the compromised site's page and loads Angler's exploit page. The landing page for Angler is very similar to Nuclear, but instead of displaying totally randomized text for obfuscation, random passages from the novel "Sense and Sensibility" are used. Angler domains at first glance may look like legitimate domains, for example:

inspirablebacktenter.modernlifestyle[.]com

Angler EK operators are leveraging domain shadowing technique to shield their landing sites from URL categorization-based detection. Over the past few months, we've seen Angler changing tactics somewhat. In late 2014, the landing page took the form of a 10 character alphanumeric php page, for example: 

/l86dvw7qfp.php
/62ynh7h2e9.php
/ukvugw2mct.php

This format quickly changed to exclude the php extension, then changed to an entirely new format:

/govern_wickets_insulator/1305714616
/pews-bathrobe-understatement/2333676765
/pions_fingertips_rebuff/8057907058341
/pounces-garrotted-bedfellow-mingling/387249683138585374

This is another attempt to blend in with normal looking web traffic. Exploit pages and payloads have a similarly consistent format that has not noticeably changed since late 2014:

/3R6sqI6COwSVqj-FeU2X7WK5qWYlpQskmTr-ivR7ZSZuIbap/9Oj96BjEJ7Rpe-CuvXMl_DVaDQFeQV53vYrJekoio1vi9dIc/eS9vXVpGOZhiD1CflWv8J9AeWGa_auetZVWzsTeBZqZTSXlR/VZsq9DV0HzNyc0_HxSiYUpc4_NiyZW729YthGRWUQOssgshN/JQqtNNYjlHsJNYAFZDsQEJIFAF227hht8nMx0qCyo6HRXuO8

The majority of the recent Angler EK infections were serving the Bedep AdFraud bot.

Angler EK instances blocked

Angler EK server locations

Nuclear Exploit Kit

Nuclear EK is arguably the most advanced exploit kit currently in use and includes a variety of different exploits. First appearing in 2009, the kit is very actively developed, with new exploits and defenses added incrementally over the years, and it is used to serve any number of payloads, including ransomware, click fraud, and multiple backdoors. Nuclear contains exploits for multiple common software components, including Flash, Internet Explorer, Java and Silverlight. Notably, in March 2015, the kit began including a Flash exploit for CVE-2015-0336 only a week after a patch was released by Adobe. Similar to Angler EK, Nuclear uses compromised webservers to serve exploits via 302-cushioning and domain shadowing, but free subdomain and dynamic DNS providers are also heavily used.

sstmxixcdr.serveftp[.]com/xqpjvl5oabhksk1fqq1bwl1afxdcs09xxxbjf1pdva.html
fu7bncm7xzjwu6hcfhuwwgg.90saniye[.]com/xvsobfbfaayaaxcou1gfcfvbs1wrefrrulaoebvovlfixfjkufgphacxulkl.html
azwbm2qdqs276gxw9qj82fg.akildakalici[.]net/rkklfaaacu1yh0aexaniauyvawypak8rcebtxquavh9ydl4kvvbsbfspulgxc1is.html

Using new subdomains of compromised sites enables Nuclear to evade older, domain-based blocking and allows for rapid rotation or one-time use of subdomains to hinder analysis by security researchers. In addition, before actually serving the exploit kit's landing page, potential victims are sent through an intermediary hop via 302-redirection; the victim is either 302-redirected to the landing page if this is a new victim, or sent to the desired non-malicious page.

Another interesting feature of Nuclear is that various fields are Base64-encoded and passed to the malicious domain:

ce79suqo5euujfchllkmwwf.alumni-year-book[.]com/index.php?a=cmtpbWJwZ2Q9cWEmdGltZT0xNTA0MTUwNjU0NjExNjY2ODgyJnNyYz0zMjImc3VybD1vbmVoYWxseXUuY29tJnNwb3J0PTgwJmtleT0xOUZGM0EwJnN1cmk9L3RvcGljLzQ0NzU0LSUyNUUyJTI1OTklMjVBNS10aGUtb2ZmaWNpYWwtJTI1RTIlMjU5OSUyNUE1LW5hbXNvbmctY291cGxlLSUyNUUyJTI1OTklMjVBNS10aHJlYWQtJTI1RTIlMjU5OSUyNUE1Lw==
--base64 decoded--
rkimbpgd=qa&time=1504150654611666882&src=322&surl=onehallyu.com&sport=80&key=19FF3A0&suri=/topic/44754-%25E2%2599%25A5-the-official-%25E2%2599%25A5-namsong-couple-%25E2%2599%25A5-thread-%25E2%2599%25A5/

Similar to Angler, the landing page contains sections of highly obfuscated JavaScript in between chunks of text; however, unlike Angler, Nuclear uses totally randomized text, which makes landing pages more difficult to detect using traditional signatures.

<textarea id='DjwvKE' title='riaXWWvroLTqxkFhlrC' name='MTdak' cols='84' rows='7'>cbkKKLhgidYWpsNmcSUOJXFDrjdbvBIScsdmDKTlorIdjVQMnlaxJgAAPecLfkdIdGvgRPSFGbjqwACkmcivIjwYOYjuJNCmUySlNlrUMbKJbMuNpcJyMFWadGUnTXZnVsYjdQDqrOATbuhQXqPjvlJZseMLBmyXeXGInJyfYyzztgPQWeASQJsInFUprSMVqSddccJAbIzUoPlLuleLvWUjboYSHloxDRbgukhVthqixbtrNYDIuXsWMQpTBdQFvsmpcTLVBCDyexqrVtAQRsndJcxLGORBGDriXDEYFIXkGNbcG</textarea>
<h2>QMx sKWhYGWu eZJGyZ aFnKgWwC xfgcc KmTs rOETlec oBWPHKZ yVrHkWnM AXkEQvfe oPeaHHcdWk kYVRPcClQO GmV gQl</h2>
<h4>fQgQqXM gvllOkaC HknmN qvPFFFKKja TRNMxyHikW JYAb QOWuNSKTX mhzDYzV</h4>

The majority of the recent Nuclear EK infections were serving Teslacrypt Ransomware.