Malvertising campaign hit high profile websites including java_com

Pierluigi Paganini August 31, 2014

A new malvertising campaign has been spotted by experts at Fox-IT, the researchers discovered malicious ads on high-profile websites including Java.com.

Experts at Fox-IT revealed in a blog post the Internet firm AppNexus is the origin of a new “malvertising” campaign, which is based on the Angler Exploit Kit to redirect visitors to malicious websites serving the Asprox malware.

AppNexus provides a platform specializing in real-time online advertising which process 16 billion ad buys per day, unfortunately, according researchers at Fox-IT the company infrastructure was serving malicious ads targeting Microsoft’s Silverlight platform.
We must consider that several popular web services like Netflix run on Silverlight, for this reason the threat actors has chosen the above exploit kit.
The Angler exploit kit is very popular in the cybercrime ecosystem, the malicious code used by bad actors behind the malvertising campaign is easy to find on the black market and it was  used in various malicious campaigns.
Asprox is a malware used in the past in high-profile attacks, in recent attacks the malicious code has been adapted for click-fraud and data stealing.

Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules,” Fox-IT said. “This history and current events show Asprox is still actively being developed and used.

According to Fox-It, the malvertising campaign targeted visitors of high ranked websites, including Java.com, eBay.ie, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com,  Kapaza.be and TVgids.nl. Last week visitors of the above websites were infected which such technique.
“Over the last week, from Tuesday august 19th until Friday august 22nd, the Security Operations Center of Fox-IT’s ProtACT service observed multiple high-profile websites redirecting their visitors to malware. These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.”  states the blog post.
malvertising
The malvertising campaign is very effective against visitors running a vulnerable version of either Java, Flash or Silverlight, it is sufficient that the user visits the compromised website to be infected.
Once visited the website hosting the malicious ad, users are redirected in the background to ads[.]femmotion[.]com, which then redirects to the exploit kit on different domains like the gloriousdead[]com. and taggingapp[]com..
The experts at Fox-IT explained that the exploit kit first checks whether the victim’s browser supports an outdated version of Java, Adobe Flash Player or Microsoft Silverlight, and then silently serve and install the Asprox botnet malware.

Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser,”

All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.” explained the researchers.

Threat actors responsible for the malvertising campaign used the “retargeting” technique to rotate the ads shown to the same visitor when they access a specific page multiple times.

The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data,” Fox-IT researchers said. “We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider.

Malvertising campaigns are becoming even more sophisticated and insidious in the last years, the current malvertising schema are quite deceptive and noticeable only an the client side.

Pierluigi Paganini

(Security Affairs – malvertising, cybercrime)



you might also like

leave a comment