Av Gurus

Level 29
Verified
Trusted
Malware Hunter
During the past few weeks, malvertising activity was a little bit on the decline, at least within our own telemetry. We were mainly seeing the usual suspects pushing a lot of Magnitude EK related infections and the occasional tech support scam.

However, out of the blue on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:

Publisher Traffic (monthly)*
msn.com 1.3B
nytimes.com 313.1M
bbc.com 290.6M
aol.com 218.6M
my.xfinity.com 102.8M
nfl.com 60.7M
realtor.com 51.1M
theweathernetwork.com 43M
thehill.com 31.4M
newsweek.com 9.9M

* Numbers pulled from SimilarWeb.com.


Rogue domains:
Domain Name: TRACKMYTRAFFIC.BIZ
Creation Date: 2016-02-27
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Organization: PrivacyProtect.org
IP address: 104.28.18.116 (CloudFlare)
Domain Name: TALK915.PW
Creation Date: 2016-02-25
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Name: Rocko Mantas
Registrant Organization: Best Media ltd
IP address: 104.27.190.84 (CloudFlare)
Ad networks/platforms:
Google:
  • www.trackmytraffic.biz/imp_track?zone=975
  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.470974263806
    -> Referer: http://tpc.googlesyndication.com/safeframe/1-0-2/html/container.html
AppNexus:

  • www.trackmytraffic.biz/tracker?zone=145&camp=Tapika
  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.0458697036987
    -> Referer: http://lax1.ib.adnxs.com/{redacted}&referrer=http%3A%2F%2Fwww.nytimes.com{redacted}
AOL:

  • www.trackmytraffic.biz/imp_track?zone=6899&camp=Vemeo
  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.22486335239
    -> Referer: http://www.aol.com/_uac/adpage.html
Rubicon:
  • www.trackmytraffic.biz/imp_track?zone=6899&camp=Vemeo
  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.515004501486
    -> Referer: http://optimized-by.rubiconproject.com/a/11648/36322/150620-15.html?&cb=0.49251904142839664&tk_st=1&rf=http%3A//my.xfinity.com{redacted}

Payload:
The first couple of days before this campaign went big, we observed a few hits on smaller publishers that were pushing the RIG exploit kit:

fg.lazarus-designs.com/?xXmNd7GZKxbIA4A=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cfAEOBo3lukyLNHeJ5yw0SH6jcGmr8dV1xC5VkRlPjPBKqE
-> Referer: Fische, Aquaristik - Außenfilter Tetra EX600
On Sunday, when the attack really expanded, the Angler exploit kit was then used:

noblitt.petalsandpaintdrops.com/topic/80972-degrease-arranging-micturition-stupidly-toast-visible-roadworthy-monotonicity/
-> Referer: http://lax1.ib.adnxs.com/{redacted}&referrer=http://www.nytimes.com/2016/03/13/us/politics/donald-trump-campaign.html?emc=edit_th_20160313&nl=todaysheadlines&nlid=69859133&_r=0
Angler EK has gone through several changes lately, in its URI patterns but also in the landing page itself. It is also the only one to use a recently patched Silverlight vulnerability.

Malwarebytes Anti-Exploit blocks the malvertising attack when it launches the exploit kit:



While we didn’t collect the actual malware payload in each of these attacks, chances are quite high that it would be one of the several strains of ransomware currently out there.

We notified the various ad networks when we first identified the attack as well as CloudFlare; we will update this blog with any new relevant information.