We have just discovered an advertising campaign that has been placing malicious advertisements on very popular websites both in the US and internationally. "answers.com" (Alexa rank 420 Global and 155 in the US), "zerohedge.com" (Ranked 986 in the US) and "infolinks.com" (Ranked 4,649 Internationally) are only some of the big names that were recently found redirecting visitors to the Angler exploit kit through a malicious advertising campaign, and though malicious advertising has become part of our daily lives in the world of web security, this story is a little different.
Before we get into the technical details it's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of Malvertising. The only "crime" here is being popular and having high volumes of traffic going through their sites daily.
On the more technical side of things, those of us familiar with the Angler exploit kit know that it never ceases to innovate and come up with new ideas for infecting as many victims as possible. These days we're practically used to the "standard" Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits' landing page. This time it seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes. This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.
In the past few days while going over the telemetry of our products we noticed that several high profile sites were fetching a JSON file which is hosted on "brentsmedia[.]com" as part of their process for pulling advertising content from their ad providers, below is the content of this JSON file containing the next hop in the redirection chain:
Figure 1: JSON including JavaScript
Here is what the banner image for the ad looks like:
Figure 2: New socket wrench, anyone?
This JSON file refers to a suspicious, heavily-obfuscated JavaScript file with more than 12,000 lines of code. Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation:
Figure 3: Programs Enumeration
If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware – double the trouble.
Figure 4: Infection Chain Starting at BrentsMedia
Checking the history of the "brentsmedia[.]com" domain reveals that it expired on January 1st 2016:
Figure 5: Expired on 1/1/2016
… and that it was registered again on March 6th 2016 with a different registrant. The following is a comparison between the old registrant and new one from March:
Figure 6: whois data from January 2016 (left) and March 2016 (right)
A quick check on "web.archive.org" reveals that BrentsMedia was an advertising company selling "online marketing solutions":
Figure 7: BrentsMedia in its old, happy days
According to our telemetry these malicious "ads" were delivered through at least two affiliate networks: adnxs, who responded to us extremely quickly and handled the incident within an hour (!), and taggify whom we contacted but have not heard back from at the time of posting this blog.
BrentsMedia was probably a legitimate business, and though we can't know for sure, it's likely that the people behind this operation are trying to ride on the reputation the domain had and abuse it to trick ad companies into publishing their malicious ads. As for the BrentsMedia site itself, it currently hosts code that behaves like a Traffic Distribution System (TDS), but at the moment it appears to only be "distributing" traffic to Angler EK.
This leaves us with some questions: are the people behind Angler doing this directly, or are they acquiring this from a fellow criminal? Is this a lucky catch for them, or a new trend of "stalking" domains nearing expiration?
We thought we may never learn the answers to these questions, but as we were putting our findings down into this blog post more telemetry came in and we noticed two more expired "media"-related domains exhibiting the same characteristics as brentsmedia[.]com: "envangmedia[.]com" and "markets.shangjiamedia[.]com", and looking up the IP address of brentsmedia shows that another similarly named domain has already been registered to point to this IP address:
Figure 8: VirusTotal DNS data for brentsmedia's IP address
If one was to take a wild guess, one might think that they actually are watching for any domains containing the word "media" that have recently expired…
Whether or not this will turn into a new trend, it's certainly an interesting development in the world of Malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat.
This blog post was co-authored by Daniel Chechik, Simon Kenin and Rami Kogan.
Trustwave Secure Web Gateway protects its customers against this attack and the Angler Exploit Kit in general.