The HookAds campaign was first discovered by researchers at Malwarebytes back in mid August of 2016. This campaign leverages decoy adult sites to spread malware. In this case the user would be browsing a legitimate website, often an adult website, and then they would be redirected to a decoy adult site through a malvertising chain.
On the decoy adult sites there is a malicious iframe that points to a fake ad server acting as a gate for RIG EK:
The domain milliption.gdn resolves to 62.75.195.128. The campaign has been using this IP address since February:
Domains | First Seen | Last Seen |
milliption.gdn | 3/13/2017 2:31 | 3/20/2017 13:21 |
decipio.gdn | 3/13/2017 2:30 | 3/18/2017 2:37 |
africal.gdn | 3/17/2017 20:49 | 3/17/2017 20:49 |
vessed.gdn | 3/13/2017 2:31 | 3/13/2017 2:31 |
resourdish.gdn | 3/8/2017 10:25 | 3/8/2017 21:12 |
wow1.paramework.xyz | 1/25/2017 10:00 | 3/8/2017 19:07 |
psittan.gdn | 3/8/2017 6:57 | 3/8/2017 9:40 |
wow3.paramework.xyz | 2/24/2017 3:30 | 2/24/2017 3:30 |
wow2.paramework.xyz | 2/19/2017 13:30 | 2/24/2017 3:29 |
The domain first resolved to 209.126.118.91, which showed more malicious domains using the generic TLD .gdn (Global Domain Name):
Domain | First Seen | Last Seen |
coolinin.gdn | 3/9/2017 23:50 | 3/20/2017 3:24 |
procody.gdn | 3/8/2017 22:12 | 3/19/2017 18:59 |
slightfall.gdn | 3/12/2017 9:19 | 3/14/2017 4:18 |
restribe.gdn | 3/9/2017 10:19 | 3/14/2017 3:13 |
milliption.gdn | 3/13/2017 2:31 | 3/13/2017 2:31 |
vessed.gdn | 3/13/2017 2:31 | 3/13/2017 2:31 |
africal.gdn | 3/10/2017 10:25 | 3/13/2017 1:06 |
resourdish.gdn | 3/8/2017 0:00 | 3/12/2017 1:36 |
psittan.gdn | 3/12/2017 1:34 | 3/12/2017 1:34 |
All of the .gdn domains being used by this campaign are registered to seoboss@seznam.cz:
Domain | Registrant Email | Registered |
decipio.gdn | seoboss@seznam.cz | 3/5/2017 |
restribe.gdn | seoboss@seznam.cz | 3/5/2017 |
procody.gdn | seoboss@seznam.cz | 3/5/2017 |
vessed.gdn | seoboss@seznam.cz | 3/5/2017 |
africal.gdn | seoboss@seznam.cz | 3/5/2017 |
coolinin.gdn | seoboss@seznam.cz | 3/5/2017 |
milliption.gdn | seoboss@seznam.cz | 3/5/2017 |
resourdish.gdn | seoboss@seznam.cz | 3/5/2017 |
werned.gdn | seoboss@seznam.cz | 3/1/2017 |
psittan.gdn | seoboss@seznam.cz | 3/1/2017 |
westponent.gdn | seoboss@seznam.cz | 3/1/2017 |
confidely.gdn | seoboss@seznam.cz | 3/1/2017 |
elecommon.gdn | seoboss@seznam.cz | 3/1/2017 |
cominents.gdn | seoboss@seznam.cz | 3/1/2017 |
slightfall.gdn | seoboss@seznam.cz | 2/27/2017 |
wallther.gdn | seoboss@seznam.cz | 2/27/2017 |
dravitalia.gdn | seoboss@seznam.cz | 2/27/2017 |
paltruise.gdn | seoboss@seznam.cz | 2/27/2017 |
irritorian.gdn | seoboss@seznam.cz | 2/27/2017 |
unexperic.gdn | seoboss@seznam.cz | 2/27/2017 |
centuation.gdn | seoboss@seznam.cz | 2/27/2017 |
germante.gdn | seoboss@seznam.cz | 2/27/2017 |
thousales.gdn | seoboss@seznam.cz | 2/26/2017 |
zachael.gdn | seoboss@seznam.cz | 2/26/2017 |
chromotor.gdn | seoboss@seznam.cz | 2/26/2017 |
wrapsing.gdn | seoboss@seznam.cz | 2/26/2017 |
seconquest.gdn | seoboss@seznam.cz | 2/26/2017 |
hickenzi.gdn | seoboss@seznam.cz | 2/26/2017 |
sidentitis.gdn | seoboss@seznam.cz | 2/23/2017 |
concephall.gdn | seoboss@seznam.cz | 2/23/2017 |
neveraged.gdn | seoboss@seznam.cz | 2/22/2017 |
havenhoek.gdn | seoboss@seznam.cz | 2/22/2017 |
dispanic.gdn | seoboss@seznam.cz | 2/22/2017 |
discussels.gdn | seoboss@seznam.cz | 2/22/2017 |
explosin.gdn | seoboss@seznam.cz | 2/22/2017 |
austribach.gdn | seoboss@seznam.cz | 2/22/2017 |
rulence.gdn | seoboss@seznam.cz | 2/22/2017 |
patteriod.gdn | seoboss@seznam.cz | 2/22/2017 |
sebrisburg.gdn | seoboss@seznam.cz | 2/22/2017 |
becomple.gdn | seoboss@seznam.cz | 2/22/2017 |
entrary.gdn | seoboss@seznam.cz | 2/22/2017 |
mormous.gdn | seoboss@seznam.cz | 2/22/2017 |
The iframe on the decoy site contains the location of ad domains that are acting as a gate. The script on the gate is being used to fingerprint the system.
The fingerprinting checks to see if the current browser is Internet Explorer and makes sure that the browser is not a crawling bot. On March 6th, 2017, I noticed that it added checks for Fiddler, FFDec, VirtualBox, and VMware:
You can read more about the new checks HERE.
The page returned by the server loaded in the location of the banner ad. If the system passes the checks then you will see a POST request using a URL pointing to the RIG exploit kit landing page:
The RIG exploit kit landing page is loaded in the same location as the gate:
We can see the nonsensical sentences “Trick can you fix my BMW” and “Boys want education ty” are being displayed in the location of the banner ad. However, taking a closer look at the page being returned to host we can clearly see that it is actually the landing page:
The EK dropped 06amrddi.exe and m73hwg6i.exe (same file) in %TEMP%:
Additional IOCs
Network:
- 62.75.195.128 – milliption.gdn – Fake ad domain
- 92.53.104.78 – temp.levvi.com – RIG EK
Hashes:
SHA256: 14be41a97b8d0b4cb626f1a659ba895847436e68721a8119e7ddd05b6cd3d69d
File name: RIG EK Flash Exploit.swf
SHA256: 14fcca3094cef0d5bff90a09eca427ff3975ed15265d46207c2e8b124619df62
File name: 06amrddi.exe and m73hwg6i.exe
Hybrid-Analysis Report
DeepViz Report
Download Artifacts (password is the same word used by other EK researchers):
References:
https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/
[…] 同じ Alibaba の IP で見つかったドメインのリストを見ると、「paltruise.gdn」というドメインがあるのがわかります。このドメインの登録者電子メール アドレスは、「seoboss@seznam.cz」になっています。この登録者は 125 のドメインを登録しており(DomainTools で確認。2018 年 1 月 17 日現在)、その多くが悪意のあるアクティビティにリンクされています。これらにリンクされていることから、この登録者電子メール アドレスに関連するドメインは、Rig エクスプロイト インフラストラクチャの一部として使用されているものと考えられます。「paltruise.gdn」は、2017 年 10 月 19 日の時点で、Alibaba の IP アドレスである 47.90.202.68 でホストされていました。そして、このわずか 2 日前には、同じ IP アドレスで、「whois-protect@hotmail.com」で登録されたドメインがホストされていました。 […]
LikeLike