Not long ago we wrote about a new piece of malware called 'Trick Bot' which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered another malvertising campaign that started at least in mid-August, and which leverages decoy adult portals to spread malware. Internally, we call it the HookAds campaign based on a string found within the delivery URL.
What's interesting in this specific attack chain is the use of adult sites injected with new rogue ad domains that change quite frequently. However, upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects. In this post, we take a look at the distribution channel and the rogue infrastructure behind HookAds.
Link with previous campaign
There is one distribution path that connects this campaign with the one we previously caught. In fact, much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month. Visitors to the first XXX site will be redirected to the decoy secondary site via a simple malvertising chain.
Malware
Converting adult traffic
We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an iframe to adult banner is injected dynamically. The ad is served from a third-party server which performs cloaking in order to detect whether this is legitimate new traffic or not.
Non-targets are served a banner ad which redirects to other adult sites, via legitimate ad networks. However, that same server can also serve a malicious script instead, whose goal is to redirect the victim to the RIG exploit kit (back in August, Neutrino EK was pushed). The overall flow can be summarized in the diagram below:
Flow diagram
Fake ad server infrastructure
The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in.
Sponsoring Registrar: EvoPlus Ltd
Name Server: NS[0-9].TOPDNS.ME
185.51.244.206
185.51.244.207
185.51.244.207
Exploit kit and payload overview
This campaign yields a fair amount of traffic that is fed to the RIG-v exploit kit, the latest (VIP) version of RIG EK. One of the early changes with RIG-v was a different landing page from the classic version, with the use of Unicode characters. Another change came more recently with new, less predictable URL patterns.
Traffic Papras
Below is a decoded portion of the RIG-v landing page (many thanks to David Ledbetter) showing the new URL structure (thank you, @malfosec for asking me about it).
Decoded portion of RIG-v landing page
The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF) which has the following very helpful features:
Code obfuscation and encryption using our proven technology Prevent your SWF from running offline or on other websites Allow your SWF to run for a given trial period only Protectyour SWF with a password
SWFLOCK
There were a lot of payloads dropped throughout this campaign (for a partial list of hashes, please refer to the IOCs below).
Conclision
The HookAds malvertising campaign is still running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit.
IOCs
IPs
185.51.244.206
185.51.244.207185.51.244.208
Domains:
adbreak.info
adsads.info
adsgodzilla.info
adsjam.info
adsloop.info
adspaces.info
adsplaces.info
adsstock.info
adsyndicate.info
adszones.info
adultadspace.info
adultbanner.info
adultmedia.info
adultspace.info
adzones.info
bannerplant.info
basicclicks.net
besthookup.info
betterad.info
bonbonads.info
bonuscpm.info
bonusmedia.info
boostedads.info
brothermedia.info
bucksdelivery.info
bulbcpm.info
canelonads.info
chooseyourads.info
clickandjoy.info
clickerbonus.info
clickspoint.info
cometamedia.info
comspacecom.info
coolads.info
coolbanner.info
cooperloop.info
cozyads.info
crazycpm.info
crazymedia.info
deluxeads.info
doodleads.info
endcpm.info
entropymedia.info
exxtraprofit.info
famousads.info
fancyads.info
ferroad.info
ferromedia.info
findsilver.info
flashspots.info
fortynn.info
foxycpm.info
freehookuper.info
freshcpm.info
freshmedias.info
frogbigfrog.info
front-page.info
frontrows.info
frtyd.info
frtyegt.info
frtyeht.info
frtyff.info
frtyffe.info
frtyfr.info
frtys.info
frtysvn.info
frtysx.info
frtyten.info
fruitsmedia.info
fullpagecpm.info
funnycpms.info
geniusmedia.info
globuscpm.info
gogobanner.info
goldcpm.info
goldenmedias.info
hookupfind.info
hookupmatch.info
hookupsearch.info
hopstops.info
jockermedia.info
kilomedia.info
luxuryads.info
madiabonus.info
mamasmedia.info
mediadelux.info
mediaoffer.info
mediaqboost.info
mediasforest.info
mediashouse.info
mediaspot.info
mediasupply.info
mediaszone.info
mediaszones.info
mediawonder.info
mightycpm.info
mindflash.info
monkeybusy.info
monstercpm.info
multiads.info
okandok.info
pandasmedia.info
papasads.info
parishads.info
penads.info
pointofprofit.info
popularmedias.info
porkymedia.info
postermedia.info
profitbanner.info
promolinks.info
promorobot.info
prormohookup.info
pushtheads.info
randomads.info
rangoomedia.info
rearmedia.info
revolverads.info
richcpm.info
safemedia.info
scrollpgp.com
sensecpm.info
shockdelivery.info
silentmedia.info
silvermedias.info
smarterads.info
sputnikads.info
standupmedia.info
startmedia.info
staycold.info
supperpromo.info
swagads.net
sweeptip.info
swipeflirts.info
swipesflirt.info
takemeup.info
thousandads.info
trafficprofit.info
trustedmedias.info
ugetmore.info
uniquemedias.info
vertigoads.info
whitecpm.info
wideads.info
wildwildmedia.info
yoursbanner.info
zorroads.info
Malware hashes:
329c033b15df3cb41dc9aed57272a0dd125f9c85f027ce2954b620261cf3d074 c15710703cbcbaa17324a69cb274b262795a5bd8700a89b3fa8abcf72e613f50 e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d 83a9f0f488e5f1046c5914b65877fb37e8ae7fa185f334cdc683cbd7e4614869 bd58161f66335f72614982d9f81c999cde3b2da8660e16cec15c298b2a995371 a96b468620ffa3f3a93198d99710c83a575206412e6a958c0c09007fcea05832 746d859772d0a7de26e47e2dfc2bf722eea90f65e0497a0e4d87e06f4ab183b8 c13ece2c81769af954fae66ee89ec0d2491bbb839d22f27bb9b048ea9e460d4a f473c2b4caf126a1b82284e2914838d18005c88a739355b42da16e5dc4caa3f4 124e4608528c013f4e14655d90beee3ded8c8b3aa54356a24d5c483c6818502a 03070471659084b60a05efcd5d252c3d7ed53089522dfbf816868a6eb0c947e4 85dd8381e73474b63aa5d70656cae94b6be5e863b6ff6287d981488538e6b99c 7b6bea5fec6da2782db6ac4d71414a3425d4605bcd8332d2e1f518d6388cae45 e2a2395da1b0ccac51a0ad858a8de95bc7664f753d4b9a86c8f866f8353136e6 4979bbceccbb991c909307d452666168ce660374079e299a13abae02c08960c1 429f1ec2ef25338c33bac28421e6ecb5e436211a7c56396bee3d4398ef4344ee e8abc7a39547bc1d6949bb8e2543bd6caddec8e873c441815a1d6c3ad2d63191 5b62f31b10cd19548ce294929827bf39d5c9c91ce5cc18391308b983363bf80f 94442f616763e37dc0ef7dd8358b80dfc07a4ae2b355c3fd39aa09957b300c78 61304505a4e2fbfc77dd4b6ce3cc01ebb1a6ab2d444b65e415bd9ac22dbeb899