Malvertising campaigns main to use kits are nowhere close to as frequent as of late. Certainly, various risk actors have moved on to different supply strategies as an alternative of counting on drive-by downloads.

Nevertheless, sometimes we see spikes in exercise which can be noticeable sufficient that they spotlight a profitable run. In late August, we began seeing a Fallout exploit package marketing campaign distributing the Raccoon Stealer through high-traffic grownup websites. Shortly after we reported it to the advert community, the identical risk actor got here again once more utilizing the RIG exploit package as an alternative.

Then we noticed probably the most important marketing campaign thus far on prime website xhamster[.]com from a malvertiser we now have tracked for effectively over a yr. This risk actor has managed to abuse virtually all grownup advert networks however this can be the primary time they hit a prime writer.

Malvertising on common advert community

The primary malicious advertiser we noticed was capable of bid for advertisements on various grownup websites by focusing on customers operating Web Explorer with none explicit geolocation restriction, though nearly all of victims had been within the US.

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 1: Victims by nation on the left, grownup websites site visitors on the proper

On this marketing campaign, the crooks abused the favored advert community ExoClick through the use of totally different redirection pages. Nevertheless, every time we had been capable of notify the advert community and get them shut down rapidly.

The primary area they used was inteca-deco[.]com, which was setup as an online design company however visibly a decoy web page to the skilled eye.

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 2: Decoy web page used as a gate to use package

Easy server-side cloaking performs the redirect to a Fallout exploit package touchdown web page witch makes an attempt to use CVE-2019-0752 (Web Explorer) and CVE-2018-15982 (Flash Participant) earlier than dropping the Raccoon Stealer.

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 3: Site visitors for Fallout exploit package

About 10 days later, one other area, websolvent[.]me, turned lively however used a special redirection approach, a 302 redirect, often known as 302 cushioning. This time we see the RIG exploit package which additionally delivers Raccoon Stealer.

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 4: Site visitors for RIG exploit package

Past a typical payload, these two domains are additionally associated. A RiskIQ crawl confirms a relationship between these 2 domains the place the mum or dad host was caught doing a meta refresh redirect to the kid:

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 5: Passive Whole’s host pairs

Malvertising on prime grownup website will get most attain

The second malvertiser (‘malsmoke’) is one which we now have tracked diligently over the previous a number of months and whose finish payload is commonly the Smoke Loader malware. It’s by far essentially the most daring and profitable one in that it goes after bigger publishers and quite a lot of advert networks. Nevertheless, up till now we had solely seen them on publishers from the grownup trade which can be nonetheless comparatively small in scale.

On this occasion, the risk actor was capable of abuse the Site visitors Stars advert community and place their malicious advert on xhamster[.]com, a website with simply over 1.06 billion month-to-month visits in response to SimilarWeb.com.

The gates utilized by this group additionally use a decoy website and over time they’ve registered domains mocking advert networks and cloud suppliers.

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 6: Malicious Popunder on xhamster (dropped at the forefront)

The redirection mechanism is extra subtle than these utilized in different malvertising campaigns. There’s some client-side fingerprinting and connectivity checks to keep away from VPNs and proxies, solely focusing on reputable IP addresses.

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 7: Site visitors for xhamster malvertising

Apparently, this Smoke Loader occasion additionally downloads Raccoon Stealer and ZLoader.

Malsmoke might be essentially the most persistent malvertising campaigns we now have seen this yr. Not like different risk actors, this group has proven that it may well quickly swap advert networks to maintain their enterprise uninterrupted.

Malwarebytes Labs is back in full swing-Malwarebytes LabsDetermine 8: Malvertising campaigns associated to malsmoke

Nonetheless utilizing Web Explorer?

Menace actors nonetheless leveraging exploit kits to ship malware is one factor, however finish customers searching with Web Explorer is one other. Regardless of suggestions from Microsoft and safety professionals, we will solely witness that there are nonetheless various customers (shopper and enterprise) worldwide which have but emigrate to a contemporary and absolutely supported browser.

Because of this, exploit package authors are squeezing the final little bit of juice from vulnerabilities in Web Explorer and Flash Participant (because of retire for good subsequent yr).

Malwarebytes prospects have lengthy been shielded from malvertising and exploit kits. We proceed to trace and report the campaigns we run into to assist do our half in protecting the Web safer.

Indicators of compromise

Gates utilized in malvertising marketing campaign pushing Raccoon Stealer

intica-deco[.]com
websolvent[.]me

Raccoon Stealer

b289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c
f319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93

Raccoon Stealer C2s

34.105.147[.]92/gate/log.php
chinadevmonster[.]prime/gate/log.php

Smoke Loader

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b

Smoke Loader C2s

dkajsdjiqwdwnfj[.]information
2831ujedkdajsdj[.]information
928eijdksasnfss[.]information
dkajsdjiqwdwnfj[.]information
2831ujedkdajsdj[.]information
928eijdksasnfss[.]information

Gates used within the malsmoke marketing campaign

einlegesohle[.]com/indexx.php
adexhangetomatto[.]house
encelava[.]com/coexo.php
encelava[.]com/caac
uneaskie[.]com/ukexo.php
bumblizz[.]com/auexo.php
bumblizz[.]com/auflexexo.php
bumblizz[.]com/caexo.php
bumblizz[.]com/caflexexo.php
bumblizz[.]com/usexo.php
bumblizz[.]com/usflexexo.php
canadaversaliska[.]information/coflexexo.php
canadaversaliska[.]information/coflexo.php
canadaversaliska[.]information/ukflexexo.php
canadaversaliska[.]information/ukflexo.php
canadaversaliska[.]information/usflexexo.php
canadaversaliska[.]information/usflexo.php
krostaur[.]com/jpexo.php
krostaur[.]com/jpflexexo.php
krostaur[.]com/jpflexo.php
leiomity[.]com/ukexo.php
leiomity[.]com/ukflexexo.php
leiomity[.]com/usexo.php
leiomity[.]com/usflexexo.php
surdised[.]com/coexo.php
surdised[.]com/usexo.php

Tweets referencing the malsmoke marketing campaign

https://twitter[.]com/MBThreatIntel/standing/1245791188281462784
https://twitter[.]com/FaLconIntel/standing/1232475345023987713
https://twitter[.]com/nao_sec/standing/1231149711517634560
https://twitter[.]com/tkanalyst/standing/1229794466816389120
https://twitter[.]com/nao_sec/standing/1209090544711815169

smoke loader malware analysis,trojan smokeloader,smoke loader botnet,what is malware,adware