Myself and a couple other coworkers stumbled across a malvertising campaign that I’ve playfully dubbed “Despicable” for its heavy use of the .ME TLD. So far, I haven’t found any public documentation about this campaign. Having said that, I wouldn’t be surprised if it was currently on other people’s radars.
Background into the campaign
Research into this campaign shows that, among other means, it is utilizing PopAds, an advertising network that specializes in popunder advertisements, to redirect hosts to their domains. Popunders from ad networks, like PopAds, are generated whenever the user clicks anywhere on the site. Furthermore, their popunders are specifically advertised as a way to bypass popup blockers.
One category of domains that often employ popunder ads are video streaming websites, where people are trying to watch live sporting matches. Another popular category of sites utilizing these kinds of ads are file sharing sites. It shouldn’t be a surprise to anyone that sites hosting questionable content are often riddled with potentially malicious redirects.
On the other hand, PopAds popunders aren’t the only way hosts are being redirected in this malvertising campaign. For example, I have found numerous cases of this campaign using ads from domains like mygtmn.com and prestoris.com. Both of these domains have a geo-location of the Netherlands as well as the same registrar (URL Solutions, Inc) and they both protect their registrant information with Global Domain Privacy Services, Inc. Funny enough, prestoris.com was also mentioned in a recent FireEye blog (see Table 2: Ads used in this campaign) post about malvertising.
Lastly, I found a couple examples of onclkds.com redirecting hosts to the Despicable .ME domains:
All these sites draw a decent amount of traffic, however, I’m not sure how big this campaign is or even the range of payloads being delivered by it. That being said, almost all the RIG exploit kit that I’ve been seeing over the last week has been related to this campaign. Luckily for users, more often than not a competent anti-virus solution will stop malicious redirects.
Identifying the malvertising campaign
The domains used in this campaign seem to be favoring the registrar Namecheap, Inc. Regrettably, their domain registrant information is being protected by WhoisGuard, Inc. This will make it harder to piece together their infrastructure. Additionally, all the domains appear to be using Cloudfare’s services.
While researching this malvertising campaign, I also noticed that many URLs in the redirection chains had nearly identical structures. For example, located below you will find two examples of URLs found in separate infections chains.
Image of additional URLs found during research which shows a pattern:
The URL parameters:
- key (contains 20 alphanumeric characters) OR post (contains 10 letters)
However, I also noticed that sometimes the URL structures changed. For example, on 06/11/17 I was redirected from bosshugss[.]me/click.php?post=lqdhalswqo to the gate caramella.fun:
I’m not entirely sure what prompted this change in the URL.
However, what I do know is that these URLs were being used as their first stage redirector. Specifically, they are designed to redirect the host to additional domains that are acting as gates for RIG exploit kit. Domains being used as first stage redirectors include:
The GET request for the first stage URL (shown below) returns a “302 Moved Temporarily” and points to a gate at dionbeno.me:
Dionbeno.me returns a “302 Found” and redirects my host to the RIG EK landing page at 184.108.40.206:
I also want to point out that sometimes I’ve seen the gate URLs change as well. For example, in one redirection chain the host went from serve.popads.net to wlespuld.me to the gate URL of wlespulsd1[.]me/?user_id=1. This ended up redirecting the host to RIG EK at 220.127.116.11.
In total, I’ve been able to identify 6 of these gates, however, I’m sure there are more to come:
Going directly to these gates won’t result in a redirect to an exploit kit. Instead, the user would be redirected to a benign domain that was registered by the same threat actors.
Lastly, as I stated before, I’m not sure of the range of payloads being delivered by the Despicable malvertising campaign. The payload that I ended up getting from the Despicable malvertising campaign was Chthonic banking Trojan. Below is an example from this malvertising campaign dropping Chthonic:
RIG EK IPs and subdomains:
amellet.bit – 18.104.22.168
aprode.bit – 22.214.171.124
Files and Hashes:
File name: 126.96.36.199 RIG EK landing page.txt
File name: 188.8.131.52 RIG EK Flash exploit.swf
File name: o32.tmp
File name: h8bddrkn.exe
File name: wWindowsSidebar.exe
Until next time!
If these ID-10-T’s are hiding behind Cloudflare, then Cloudflare should be held criminally liable. The Cloudflare CEO, Matthew Prince, only cares about money and not security. It’s widely known.