“Despicable” Malvertising Campaign

malwarebreakdown on June 11, 2017

despicable me

Myself and a couple other coworkers stumbled across a malvertising campaign that I’ve playfully dubbed “Despicable” for its heavy use of the .ME TLD. So far, I haven’t found any public documentation about this campaign. Having said that, I wouldn’t be surprised if it was currently on other people’s radars.

Background into the campaign

Research into this campaign shows that, among other means, it is utilizing PopAds, an advertising network that specializes in popunder advertisements, to redirect hosts to their domains. Popunders from ad networks, like PopAds, are generated whenever the user clicks anywhere on the site. Furthermore, their popunders are specifically advertised as a way to bypass popup blockers.

flow

One category of domains that often employ popunder ads are video streaming websites, where people are trying to watch live sporting matches. Another popular category of sites utilizing these kinds of ads are file sharing sites. It shouldn’t be a surprise to anyone that sites hosting questionable content are often riddled with potentially malicious redirects.

On the other hand, PopAds popunders aren’t the only way hosts are being redirected in this malvertising campaign. For example, I have found numerous cases of this campaign using ads from domains like mygtmn.com and prestoris.com. Both of these domains have a geo-location of the Netherlands as well as the same registrar (URL Solutions, Inc) and they both protect their registrant information with Global Domain Privacy Services, Inc. Funny enough, prestoris.com was also mentioned in a recent FireEye blog (see Table 2: Ads used in this campaign) post about malvertising.

Lastly, I found a couple examples of onclkds.com redirecting hosts to the Despicable .ME domains:

onclks edited

Again, this traffic came from a TV and movie streaming site

All these sites draw a decent amount of traffic, however, I’m not sure how big this campaign is or even the range of payloads being delivered by it. That being said, almost all the RIG exploit kit that I’ve been seeing over the last week has been related to this campaign. Luckily for users, more often than not a competent anti-virus solution will stop malicious redirects.

Identifying the malvertising campaign

The domains used in this campaign seem to be favoring the registrar Namecheap, Inc. Regrettably, their domain registrant information is being protected by WhoisGuard, Inc. This will make it harder to piece together their infrastructure. Additionally, all the domains appear to be using Cloudfare’s services.

While researching this malvertising campaign, I also noticed that many URLs in the redirection chains had nearly identical structures. For example, located below you will find two examples of URLs found in separate infections chains.

dere879[.]me/click.php?key=4kc7zvby6a6bd1ndcuj4&websiteid=1239709&quality=2&categoryid=37&formfactorname=Desktop/Notebook&campaignid=4668687&campaignname=newtest&screenresolution=1280x800&impressionid=15342292781&bid=0.01914

ipichnaear[.]me/click.php?post=spcxzbznjd&websiteid=459897&quality=6&categoryid=4&formfactorname=Desktop/Notebook&campaignid=4697100&campaignname=pichna_RO&screenresolution=1680x1050&impressionid=14780045942&bid=0.0176

Image of additional URLs found during research which shows a pattern:

1st stage

URL parameters are highlighted in red

The URL parameters:

  • key (contains 20 alphanumeric characters) OR post (contains 10 letters)
  • websiteid
  • quality
  • categoryid
  • formfactorname
  • campaignid
  • campaignname
  • screenresolution
  • impressionid
  • bid

However, I also noticed that sometimes the URL structures changed. For example, on 06/11/17 I was redirected from bosshugss[.]me/click.php?post=lqdhalswqo to the gate caramella.fun:

change edited

Caramella.fun redirected me to a benign site. Also notice that this redirection chain was using mygtm.com as the referer.

I’m not entirely sure what prompted this change in the URL.

However, what I do know is that these URLs were being used as their first stage redirector. Specifically, they are designed to redirect the host to additional domains that are acting as gates for RIG exploit kit. Domains being used as first stage redirectors include:

  • dere879.me
  • jpar333.me
  • sorafef.me
  • drossel.me
  • ipichnaear.me
  • wlespuld.me
  • bosshugss.me
  • derraaa11.me
  • corsher3.me
  • ganzerri.me
  • carajoin.me

The GET request for the first stage URL (shown below) returns a “302 Moved Temporarily” and points to a gate at dionbeno.me:

1st redirect

Dionbeno.me returns a “302 Found” and redirects my host to the RIG EK landing page at 193.124.117.67:

2nd redirect

I also want to point out that sometimes I’ve seen the gate URLs change as well. For example, in one redirection chain the host went from serve.popads.net to wlespuld.me to the gate URL of wlespulsd1[.]me/?user_id=1. This ended up redirecting the host to RIG EK at 194.87.232.58.

In total, I’ve been able to identify 6 of these gates, however, I’m sure there are more to come:

  • dionbeno.me
  • ipichnaear22.me
  • caramella.fun
  • wlespulsd1.me
  • derraaa22.me
  • caramella.life

Going directly to these gates won’t result in a redirect to an exploit kit. Instead, the user would be redirected to a benign domain that was registered by the same threat actors.

Lastly, as I stated before, I’m not sure of the range of payloads being delivered by the Despicable malvertising campaign. The payload that I ended up getting from the Despicable malvertising campaign was Chthonic banking Trojan. Below is an example from this malvertising campaign dropping Chthonic:

Traffic

IOCs

Domains:

dere879.me
jpar333.me
sorafef.me
drossel.me
ipichnaear.me
wlespuld.me
bosshugss.me
derraaa11.me
corsher3.me
ganzerri.me
carajoin.me
dionbeno.me
ipichnaear22.me
caramella.fun
wlespulsd1.me
derraaa22.me
caramella.life
fopflop.me

RIG EK IPs and subdomains:

193.124.117.67
194.87.232.58
194.87.235.19
195.161.114.125
217.107.219.117
admin.eggfreezingfordummies.com

Chthonic C2s:

amellet.bit – 198.167.140.243
aprode.bit – 52.216.0.106

Files and Hashes:

SHA256: 2bed257888c88e652793089ed38b187eb5b7d931fa67daa61aa6e167f5e06ade
File name: 193.124.117.67 RIG EK landing page.txt

SHA256: 4a768366efed47b2fcda2afdfa47d4959a06de7ec30a8b2077940a4be3269ab9
File name: 193.124.117.67 RIG EK Flash exploit.swf

SHA256: 87beec028bab3e8fd44511fbf2a67186d87165f9a5c2c009607572914cec9837
File name: o32.tmp

SHA256: 036a6ce3c73aea0c84dcc0fbccb260d72c4c27ff6c41e97e3d545900c50b0eda
File name: h8bddrkn.exe
Hybrid-Analysis Report

SHA256: ac7a6a926a89c700c5c28a6d3dc68edd3ef995e7b579c55a4a7c0f8155c3cf89
File name: wWindowsSidebar.exe
Hybrid-Analysis Report

Until next time!

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

  1. alexatilbrook November 12, 2017 at 6:06 PM

    If these ID-10-T’s are hiding behind Cloudflare, then Cloudflare should be held criminally liable. The Cloudflare CEO, Matthew Prince, only cares about money and not security. It’s widely known.

    Like

    Reply

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: