Blog
HuffingtonPost Serving Malware via AOL Ad-Network
Posted on January 5th, 2015 by Nick Bilogorskiy
On Dec 31, 2014 Cyphort Labs detected an infection at the Canadian website of HuffingtonPost – http://ift.tt/tvAe1u. On January 3, 2015 we have also confirmed HuffingtonPost.com is similarly infected. Huffington Post is a news aggregator and blog site with more than 51 million monthly visitors. Cyphort Labs has reported uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding the emerging trend. We believe that this trend presents a significant cybersecurity challenge in 2015. Web site owners should ask questions about their malvertising protection before signing up with ads syndication networks. More importantly, web site owners should deploy infection monitoring and detection solutions to protect their site visitors from malware infection.
The following analysis should help further increase the awareness and understanding on malvertising threats.
Infection Details
Here is the summary of the events:
1. huffingtonpost.ca was hosting an ad from an AOL ad-network [advertising.com]
2. The ad redirected through multiple hops
3. The landing page served an exploit kit.
4. The Exploit kit served a Flash exploit and a VB script
5. The script downloaded a Kovter Trojan executable to %temp%
The culprit was malvertising served from advertising.com. Over the past several days we have seen many other sites that contained ads from advertising.com and redirected visitors to malware, including:
- http://ift.tt/hFWySe
- www.mandatory.com
- www.laweekly.com
- www.gooddrama.net
- www.fhm.com
- http://ift.tt/1xQzV8O
- www.buzzlie.com
- www.mojosavings.com
- www.houstonpress.com
- www.soapcentral.com
- http://ift.tt/1jW3EGx
- www.gamezone.com
- www.weatherbug.com
Interestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted. The whole infection chain for huffingtonpost.ca is:
| http | http://ift.tt/tvAe1u |
| http | o.aolcdn.com |
| http | atwola.com |
| http | tacoda.net |
| http | advertising.com |
| https | nomadic-proton-777.appspot.com [Google App Engine] |
| http | foxbusness.com |
| http | multiple .PL redirects |
| http | howto.sxcubelabs.nysa.pl:8080/phppgadmin/ |
The whole infection chain for huffingtonpost.com is:
| http | http://ift.tt/hFWySe |
| http | o.aolcdn.com |
| http | atwola.com |
| http | tacoda.net |
| http | advertising.com |
| https | nomadic-proton-777.appspot.com [Google App Engine] |
| http | foxbusness.com |
| http | warszawa.pl [Polish capital website] |
| http | schoo.kuppicu.opoczno.pl:8080/books |
It appears that this group has compromised and/or has access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites (nysa.pl, klodzko.pl, etc). This is similar to the Youtube Ads attack that our friends at TrendMicro blogged about in October.
In addition to "advertising.com" Advertising Network we have also seen "adtech.de" redirecting to these infected Polish sites. In the case of "adtech", the redirectors were: "imp-check.appspot.com" (Google) and svcollege.net. Both of these platforms (adtech.de and advertising.com) are owned by AOL. AOL Platforms has 199 Million unique visitors per month. It reaches 88.8% of the U.S. Internet Audience. We have notified AOL abuse and security team and they confirmed they are currently investigating this.
Cyphort Labs suspects the exploit kit used was NeutrinoEK, but also saw similarity between this one and Sweet Orange kit (http://ift.tt/1tRvHZ1) .
The infection starts with javascript that does the following:
1. It decrypts (base64 algorithm) an html file and a Visual Basic script file.
2. The decrypted html file (which exploits CVE-2013-2551) is loaded as an iframe.
3. VB script downloads and executes the malicious executable (Kovter).
4. Both HTML & VB script seem to be communicating only with http://ift.tt/1ASbloN which is down.
Here is the decrypted VB script. The VB script code is exploiting CVE-2014-6332 (Windows OLE Automation Array Remote Code Execution Vulnerability). A POC was posted at exploit-db last November (http://ift.tt/1ustnv7).
The purpose of this attack is to install a malicious binary – a new variant of a Trojan, from the Kovter family. (SHA1: eec439cb201d12d7befe5482e8a36eeb52206d6f). The malware was downloaded from indus.qgettingrinchwithebooks. babia-gora.pl:8080 , it was a un-encrypted binary. After execution it connects to a16-kite.pw for CNC. It executes through injecting its payload to a spawned svchost.exe process.
Below is a screenshot of the Behavior Details of this malware when Cyphort Advanced Threat Defense Platform detected it.
Cyphort Labs is monitoring this malvertising campaign closely. We will share more results as soon as they become available. Special thanks to Alex Burt and the Cyphort Labs team for their help in the discovery and analysis.
Recent Posts
- HuffingtonPost Serving Malware via AOL Ad-Network
- Internet Systems Consortium's ISC.org infected
- Popular News Magazine dailyherald.com Infected
- EvilBunny: Malware Instrumented By Lua
Categories
By Authors
Monthly Archives
This entry passed through the Full-Text RSS service - if this is your content and you're reading it on someone else's site, please read the FAQ at http://ift.tt/jcXqJW.
http://ift.tt/1I1rHO6 HuffingtonPost Serving Malware via AOL Ad-Network via top scoring links : news http://ift.tt/1DsGFgc
Put the internet to work for you.
No comments:
Post a Comment