Top-ranked Advertising Network Leads to Exploit Kit

Threat Overview

The online advertisements that people see across a wide range of popular and lesser-known websites can lead to malware infections and other forms of compromise, sometimes without any user interaction whatsoever and without any indicators there is an issue.

This emerging threat is known as malvertising (a portmanteau of ‘malicious’ and ‘advertising’), and FireEye Labs recently uncovered an ongoing campaign involving online advertising network onclickads[.]net, a domain with an Alexa global rank of 39 and 113 in the United States. Onclickads[.]net is operated by Propeller Ads Media, an online advertising exchange.

In this case, websites serving ad content from onclickads[.]net could infect visitors by first redirecting them to the Rig Exploit Kit. An exploit kit is essentially a toolkit that automatically targets specified software vulnerabilities – primarily to distribute malware.

The FireEye Dynamic Threat Intelligence (DTI) first detected the malvertising activity on Oct. 6, 2015, and the campaign is still active today. Those redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.

For the everyday Internet user, the threat would play out like this: The user navigates to a website; the website serves a malicious advertisement from onclickads[.]net; the user is redirected to the Rig Exploit Kit landing page and one of several vulnerabilities is targeted.

For this particular campaign, a completely successful attack results in the user becoming infected with malware.

Technical Details

DTI detected Rig Exploit Kit URLs on a daily basis and each URL had a similar HTTP Referer header field belonging to onclickads[.]net, as shown in Figure 1.

Figure 1. Example onclickads[.]net referers seen redirecting to Rig Exploit Kit

Malvertising attacks can be difficult to identify, but in this case, as shown in Figure 2, it starts with a normal looking ad content HTTP GET request made when visiting a site that serves ad content from onclickads[.]net.

Figure 2. GET request to onclickads[.]net

Looking a little closer, we see that the URL contains strings that slightly resemble those used by OpenX/Revive ad servers, one the most popular ad software systems on the market.

Commonly seen, legitimate OpenX/Revive URLs might look something like this:

/www/delivery/afr.php?zoneid=8&cb=1925363925374

We checked out a copy of the OpenX repository to review the contents. While the repository contains a legitimate file named afr.php, there was no file named afu.php as shown in the GET request from Figure 2.

Although ad servers are often abused by malvertisers, OpenX systems and their associated URLs are normally not an indication of malicious activity, just advertising activity; so it’s common to see them mixed in with other HTTP traffic in most network environments. You can see how the malicious traffic associated with this malvertising campaign might slip by with other OpenX advertising traffic since it closely resembles that of a legitimate ad system.

Onclickads[.]net appears to have previously been involved in malvertising activity. The online advertising network was recently used in a similar campaign involving the Angler Exploit Kit, and – as seen in Figure 3 – we have still observed redirections to fake Flash media players.

Figure 3. Some referer URLs redirected to fake media players when visited

As mentioned before, those who are redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.

Examples of Rig Exploit Kit landing page URLs we logged can be seen in Figure 4. These all had an onclickads[.]net URL (similar to Figure 1) in the referer field.

Figure 4. Rig Exploit Kit URLs

As shown in Figure 5, the Rig Exploit Kit obfuscates its landing pages to make analysis and detection tougher. The landing page contains code that checks for the presence of antivirus or virtual environments – if either is detected by the exploit kit, the exploit will not be served.

Figure 5. Obfuscated Rig Exploit Kit landing page

The samples we analyzed used an exploit for CVE-2015-5119, the Adobe Flash use-after-free vulnerability revealed in the Hacking Team leak. As mentioned here, CVE-2015-5119 was integrated into Rig Exploit Kit in July. After the landing page loads, the Flash exploit is downloaded, as seen in Figure 6.

Figure 6. Flash exploit being downloaded

After successful exploitation, the payload downloads malware to the system.

As of Nov. 13, 2015, the exploit kit is redirecting to Magnitude EK URLs. Some example Magnitude EK URLs look like this:

6d3bd.439.74331q.436161bv.0ecu.u677n.2401q.p44m.l0sm6dacs2.eventsam.pw/?2d5f484b42434e41444e464c495e03434859
mebf65l.c06a2r.ldfbk.zd899fu.w54358p.hf47613b.u90.y99xvzga7k95.satshares.pw/?225047444d4c414e4b41494346510c4c4756
l9077e2v.he02528l.obdb52x.34aa9.z144.8d3d49.j0i.w687g98o.hairunits.pw/?2b594e4d444548474248404a4f5805454e5f