Malvertising campaigns main to use kits are nowhere close to as frequent as of late. Certainly, various risk actors have moved on to different supply strategies as an alternative of counting on drive-by downloads.
Nevertheless, sometimes we see spikes in exercise which can be noticeable sufficient that they spotlight a profitable run. In late August, we began seeing a Fallout exploit package marketing campaign distributing the Raccoon Stealer through high-traffic grownup websites. Shortly after we reported it to the advert community, the identical risk actor got here again once more utilizing the RIG exploit package as an alternative.
Then we noticed probably the most important marketing campaign thus far on prime website xhamster[.]com from a malvertiser we now have tracked for effectively over a yr. This risk actor has managed to abuse virtually all grownup advert networks however this can be the primary time they hit a prime writer.
Malvertising on common advert community
The primary malicious advertiser we noticed was capable of bid for advertisements on various grownup websites by focusing on customers operating Web Explorer with none explicit geolocation restriction, though nearly all of victims had been within the US.
Determine 1: Victims by nation on the left, grownup websites site visitors on the proper
On this marketing campaign, the crooks abused the favored advert community ExoClick through the use of totally different redirection pages. Nevertheless, every time we had been capable of notify the advert community and get them shut down rapidly.
The primary area they used was inteca-deco[.]com, which was setup as an online design company however visibly a decoy web page to the skilled eye.
Determine 2: Decoy web page used as a gate to use package
Easy server-side cloaking performs the redirect to a Fallout exploit package touchdown web page witch makes an attempt to use CVE-2019-0752 (Web Explorer) and CVE-2018-15982 (Flash Participant) earlier than dropping the Raccoon Stealer.
Determine 3: Site visitors for Fallout exploit package
About 10 days later, one other area, websolvent[.]me, turned lively however used a special redirection approach, a 302 redirect, often known as 302 cushioning. This time we see the RIG exploit package which additionally delivers Raccoon Stealer.
Determine 4: Site visitors for RIG exploit package
Past a typical payload, these two domains are additionally associated. A RiskIQ crawl confirms a relationship between these 2 domains the place the mum or dad host was caught doing a meta refresh redirect to the kid:
Malvertising on prime grownup website will get most attain
The second malvertiser (‘malsmoke’) is one which we now have tracked diligently over the previous a number of months and whose finish payload is commonly the Smoke Loader malware. It’s by far essentially the most daring and profitable one in that it goes after bigger publishers and quite a lot of advert networks. Nevertheless, up till now we had solely seen them on publishers from the grownup trade which can be nonetheless comparatively small in scale.
On this occasion, the risk actor was capable of abuse the Site visitors Stars advert community and place their malicious advert on xhamster[.]com, a website with simply over 1.06 billion month-to-month visits in response to SimilarWeb.com.
The gates utilized by this group additionally use a decoy website and over time they’ve registered domains mocking advert networks and cloud suppliers.
Determine 6: Malicious Popunder on xhamster (dropped at the forefront)
The redirection mechanism is extra subtle than these utilized in different malvertising campaigns. There’s some client-side fingerprinting and connectivity checks to keep away from VPNs and proxies, solely focusing on reputable IP addresses.
Determine 7: Site visitors for xhamster malvertising
Apparently, this Smoke Loader occasion additionally downloads Raccoon Stealer and ZLoader.
Malsmoke might be essentially the most persistent malvertising campaigns we now have seen this yr. Not like different risk actors, this group has proven that it may well quickly swap advert networks to maintain their enterprise uninterrupted.
Determine 8: Malvertising campaigns associated to malsmoke
Nonetheless utilizing Web Explorer?
Menace actors nonetheless leveraging exploit kits to ship malware is one factor, however finish customers searching with Web Explorer is one other. Regardless of suggestions from Microsoft and safety professionals, we will solely witness that there are nonetheless various customers (shopper and enterprise) worldwide which have but emigrate to a contemporary and absolutely supported browser.
Because of this, exploit package authors are squeezing the final little bit of juice from vulnerabilities in Web Explorer and Flash Participant (because of retire for good subsequent yr).
Malwarebytes prospects have lengthy been shielded from malvertising and exploit kits. We proceed to trace and report the campaigns we run into to assist do our half in protecting the Web safer.
Indicators of compromise
Gates utilized in malvertising marketing campaign pushing Raccoon Stealer
Raccoon Stealer C2s
Smoke Loader C2s
Gates used within the malsmoke marketing campaign
Tweets referencing the malsmoke marketing campaign
smoke loader malware analysis,trojan smokeloader,smoke loader botnet,what is malware,adware