Malvertisement – A Nuclear EK Tale

Over the past couple of years delivering malware via advertisements, or "malvertisement," has become one of the most popular methods of distribution for exploit kits. Like most trends in the world of Internet security, the longer it endures - the more sophisticated and complex it gets.

Considering the popularity of online advertising as a whole, it's not surprising to see that nearly all active exploit kits use malvertisements as a distribution channel. Nearly all of the exploit kits of significant volume mentioned in the 2015 Trustwave Global Security Report - Rig, Nuclear, Angler and Magnitude - depended quite heavily on malvertisement.

It seems that for cybercriminals it is, as usual, a matter of return on investment. It is cheaper, easier and more reliable to distribute malicious ads via ad networks that place these ads on sites than it is to compromise high-traffic sites in order to infect their visitors.

For the ad networks, however, this is clearly not profitable. In addition to the reputation damage caused by these ad networks' involvement in delivering malware, legitimate websites that display their ads may stop using them as the result of a malvertisement incident.

So how are these malicious ads finding their way into these networks?

Detecting malvertisement campaigns is not an easy task. Even some of the largest ad networks such as Google and AOL were used, in one way or another, to distribute malware in 2015. Regarding larger ad networks, we often see malvertisement campaigns distributed by affiliates, partners or resellers. These companies, presumably with fewer resources than the big players, seem to be the weak link in terms of examining the ads they distribute.

In order to understand the situation these smaller advertisers are in, let's examine a malvertisement campaign distributing the Nuclear Exploit Kit:

NuclearInfection

The Fiddler session above actually starts one step after what the average user would experience. The first URL is the advertisement itself, which would normally be embedded within a legitimate page. This is because our example was observed on a machine infected with ad fraud malware, which visits ads directly to generate fake ad views. In this scenario, the ad was delivered via the "trafficadventure.com" advertising company. The ad itself redirects to the site "getyourimesh[.]com," which appears to be a site for a WordPress plugin called "Backup Creator":

GetYourImesh

Looking at the real Backup Creator site, we see a resemblance:

BackupCreator

So the homepage of the "getyourimesh" site consists of stolen content, making it look legitimate. It is worth noting that this homepage doesn't lead to any malicious content, so the ad network has no reason to suspect any wrongdoing.

Looking at the HTML code of main.php on the same site, however, tells a different story:

MainHtml

The real "bad guy" in this example is track.php, which performs checks on the requesting client. If the client's user agent is Internet Explorer, it loads an iframe with Nuclear EK. This particular page is not very sophisticated. We've seen pages that perform more complex checks, but it seems that these are enough to go unnoticed by the advertising networks.

From here, this particular site has fulfilled its duties and the rest of the action occurs on a Nuclear EK domain, a hop away from any advertisement.

In this case, the ad network would only detect this attack by:

  1. Examining each and every URL submitted.
  2. Examining the content loaded by each URL using various user agents (and possibly 3rd party plugins or any other checks a page like track.php would choose to perform).
  3. Examining the type of content loaded by it, probably with a security product.

While ideally we'd all like to see this depth of evaluation, it's obvious why an advertisement network of small-to-medium scale might have trouble fulfilling these requirements.

To close the loop and provide the full flow in our example, the Nuclear EK then exploited the machine using CVE-2015-3090, a vulnerability in Flash Player recently integrated into most Exploit Kits, and this Flash exploit then infected the machine with Cryptowall 3.0:

Cryptowall30

This is where the story ends.

We should note at this point that we contacted trafficadventure.com regarding this abuse case and they were quick to respond and investigate.

To give a brief summary of this story: An innocent user browsing the Internet, and not clicking any dodgy links or opening suspicious email attachments, could still find themselves at the mercy of ransomware or other malware.

Our advice to end users is to make sure you keep your OS, browser and any 3rd party plugins up-to-date at all times to prevent the exploit of any vulnerabilities.

Customers of Trustwave Secure Web Gateway are protected against this attack.

This blog post was co-authored by Daniel Chechik and Anat Davidi.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.