Bedep trojan malware spread by the Angler exploit kit gets political

We recently observed what seems to be a group of cybercriminals helping spread pro-Russia messaging by artificially inflating video views and ratings on a popular video website. The campaign began with the infamous Angler exploit kit infecting victims with the Bedep trojan. Infected machines were then forced to browse sites to generate ad revenue, as well as, fraudulent traffic to a number of pro-Russia videos (among others). This blog isn't intended to be commentary on geo-political issues. The intent is to highlight an interesting attack method that could be used to artificially inflate the popularity of a piece of content, and in turn its visibility, whether it deals with political issues or other topics.

Artificially Inflating Number of Views of Video Clips

What we originally thought was simply a case of ad fraud developed into something more political once we examined some of the traffic. We observed the malware browsing to several clips on video-hosting web sites. We can't know for sure who's behind this fraudulent promotion of video clips, but it appears to be politically motivated.

Using bots to generate fake traffic to video clips is nothing new. It is a technique to raise a clip's popularity score and achieve higher visibility. However, this is the first time we've observed the tactic used to promote video clips with a seemingly political agenda.

Here's a screen-shot from one example:

1

Note that this video-clip, just like others, is loaded on a hidden desktop and is not seen by the victim. By artificially increasing the clip's popularity, the fraudsters make the clip more visible in general to users of the video aggregation site.

Below are additional examples of video-clips containing pro-Russia messages to which machines infected with the Bedep trojan were directed.

These clips share several characteristics that lead us to believe bots promoted them artificially:

  • They each have a relatively high, and nearly identical, number of views—around 320,000
  • At time of writing, none of the clips have any "shares," "retweets," or comments
  • They have very similar graphs illustrating views with the "Last Day" filter applied

2

http://www.dailymotion.com/video/x2n8go4_why-ukraine-matters-to-the-u-s-russia_news#from=embediframe

3

http://www.dailymotion.com/video/x2nakz4_russia-defends-visit-to-norwegian-island-despite-sanctions_news?start=4

4

http://www.dailymotion.com/video/x2nakxy_russia-says-five-militants-killed-in-north-caucasus_news?start=5

We also found examples of clips with what we believe are artificially inflated quantities of views that did not include pro-Russia subject matter.

5

http://www.dailymotion.com/video/x2n2lcw_anna-kendrick-is-writing-a-book_lifestyle?start=2

6

http://www.dailymotion.com/video/x2n841e_apple-vs-facebook-vs-amazon-battle-for-the-best-tech-headquarters_news?start=4

Technical Analysis

Taking a closer look at the fraudulent traffic, we observed:

  • Specialized pages with stacked ads to maximize campaign efficiency (explained below)
  • Re-infection of the victim via additional exploit kits (Magnitude and Neutrino)
  • Fake views of content on social sites, including videos with a clear political agenda

We'll start from the beginning…

A compromised website, offering assistance to tourists, included an injected iframe in one of its pages, which led victims to the Angler EK:

7

Upon opening its heavily obfuscated landing page, we found Angler first exploring the victim's machine, looking for hints of installed AV products…

8

…and for hints of development tools which are also used by security researchers:

9

The kit's administrators want to avoid serving exploits and malware that AV products or security researchers could identify in order to stay "under the radar" as long as possible.

By exploiting CVE-2013-7331—a vulnerability in Microsoft.XMLDOM ActiveX control affecting unpatched versions of Internet Explorer versions 11 and earlier—remote attackers can determine the existence of local paths, which will indicate the presence of certain software.

In this case the attacker unexpectedly ignored the enumeration results and served the following exploits:

  • CVE-2014-6332 (OleAut32.dll vulnerability)
  • CVE-2015-0313 (Adobe Flash Player vulnerability)

That's great for us because we were able to observe the exploitation of VM despite our using VirtualBox and a standard installation of Fiddler, both of which were running in the background at the time of the exploitation. It definitely helps researchers when cybercriminals get sloppy!

This instance of Angler exploited CVE-2014-6332 in an interesting way. This vulnerability is exploited in general using array re-dimensioning in VBScript. What's noteworthy in this case is the back-and-forth communication between the VBScript and the JavaScript code:

  • The VBScript itself is "hidden" in heavily obfuscated JavaScript, which appends a "VBScript" object to the HTML body.
  • The VBScript, when executed, calls a JavaScript routine that enumerates the IE and Windows versions and then calls another JavaScript routine that returns a base64 decoded Shellcode.

The exploitation of our machine resulted in a Bedep trojan running in memory.

Now fasten your seatbelt because here things get even more interesting.

Here Bedep has launched massive ad fraud activities:

10

The trojan constantly communicates with its command-and-control server (C&C) receiving new browsing targets with a set of detailed http headers to be used in the request:

11

The objective of ad fraud is to generate fake traffic to ads and receive compensation based on traffic volume. Obviously, more compromised computers leads to more traffic directed to the ads which leads to more revenue for the fraudster. Usually the party that pays for ad views will perform validity checks to filter out invalid ad impressions. To work around some of these checks, the C&C will specify fake "valid" referrer information for the trojan to use. Ad impressions should originate from some publishing website, and therefore so should the HTTP request carry the referring website's URL.

Some of the redirections lead to innocent-looking sites like "careyourpet.net" which, if browsed directly, looks like this:

12

If browsing the site using the C&C's specified referrer, a completely different looking web site is loaded:

13


The appearance of the page coupled with associated WHOIS information being protected and the domain being registered only recently (December 2014) leads to the conclusion that this page is not a standard website. This sort of page seems to be a specialized page deployed by the malware campaign team to display dozens of ads aimed at maximizing the efficiency of their ad-fraud campaigns.

This technique is actually nothing new and was previously employed by operators behind the TDSS botnet, and it still works.

What's different than the TDSS-based botnet is a technique used to hide the malicious activity from the legitimate user. Bedep creates a hidden virtual desktop that hosts the Internet Explorer COM window invisibly. That hidden window functions as a fully featured Internet Explorer instance. We used a handy tool called CmdDesktopSwitch to view the hidden desktop.

14

Virtual Desktop example #1

15

Virtual Desktop example #2

Taking a closer look at the generated traffic reveals another surprise - our already infected machine was redirected by the C&C to the Magnitude exploit kit:

16

And if tripping on two different kits is not enough, down the roller coaster of our ad-fraud traffic we see another redirection to yet another kit– an instance of the Neutrino exploit kit:

17

An exploit kit without traffic is like a boat in the desert – useless. Therefore, criminals, who use exploit kits to spread their malware, need traffic and usually buy it from other fraudsters. It seems that the guys behind this particular C&C are trying to maximize their profit by selling traffic from compromised computers to other campaigners that seek to spread their own malware via Magnitude and Neutrino. Just to make it clear: An already infected computer is visiting ads silently without the user's consent, and gets re-infected over and over again.

At first we thought this was a case of "ad-fraud meets malvertising," but upon a closer look we saw this exact behavior repeating itself across multiple cases we examined. The redirection chain from the initial C&C to the provided target URL is just one hop away from the landing pages we mentioned – leading us to believe that it's the botnet operator's objective.

Both Rami Kogan and Arseny Levin conducted the research from which this post was developed.

Trustwave Secure Web Gateway and Trustwave Managed Anti-Malware Service protect users from this attack with no need for any updates.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.