Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Bedep trojan malware spread by the Angler exploit kit gets political

We recently observed what seems to be a group of cybercriminals helping spread pro-Russia messaging by artificially inflating video views and ratings on a popular video website. The campaign began with the infamous Angler exploit kit infecting victims with the Bedep trojan. Infected machines were then forced to browse sites to generate ad revenue, as well as, fraudulent traffic to a number of pro-Russia videos (among others). This blog isn't intended to be commentary on geo-political issues. The intent is to highlight an interesting attack method that could be used to artificially inflate the popularity of a piece of content, and in turn its visibility, whether it deals with political issues or other topics.

Artificially Inflating Number of Views of Video Clips

What we originally thought was simply a case of ad fraud developed into something more political once we examined some of the traffic. We observed the malware browsing to several clips on video-hosting web sites. We can't know for sure who's behind this fraudulent promotion of video clips, but it appears to be politically motivated.

Using bots to generate fake traffic to video clips is nothing new. It is a technique to raise a clip's popularity score and achieve higher visibility. However, this is the first time we've observed the tactic used to promote video clips with a seemingly political agenda.

Here's a screen-shot from one example:

9357_5589f517-1df5-48ef-aeb4-259e9d9047e8

Note that this video-clip, just like others, is loaded on a hidden desktop and is not seen by the victim. By artificially increasing the clip's popularity, the fraudsters make the clip more visible in general to users of the video aggregation site.

Below are additional examples of video-clips containing pro-Russia messages to which machines infected with the Bedep trojan were directed.

These clips share several characteristics that lead us to believe bots promoted them artificially:

  • They each have a relatively high, and nearly identical, number of views—around 320,000
  • At time of writing, none of the clips have any "shares," "retweets," or comments
  • They have very similar graphs illustrating views with the "Last Day" filter applied

8874_3efd0b4c-cc05-4e37-a3d3-69f6d2966036

http://www.dailymotion.com/video/x2n8go4_why-ukraine-matters-to-the-u-s-russia_news#from=embediframe

7819_09f38924-0380-47e1-942e-5e921a41a73f

http://www.dailymotion.com/video/x2nakz4_russia-defends-visit-to-norwegian-island-despite-sanctions_news?start=4

9678_6689296f-2862-41a8-a771-3d9d496eb8c4

http://www.dailymotion.com/video/x2nakxy_russia-says-five-militants-killed-in-north-caucasus_news?start=5

We also found examples of clips with what we believe are artificially inflated quantities of views that did not include pro-Russia subject matter.

7775_082e4f27-87fc-43f1-a787-17de5d0db426

http://www.dailymotion.com/video/x2n2lcw_anna-kendrick-is-writing-a-book_lifestyle?start=2

9310_537eadcd-66f4-4451-a6aa-e9df82f4f57e

http://www.dailymotion.com/video/x2n841e_apple-vs-facebook-vs-amazon-battle-for-the-best-tech-headquarters_news?start=4

Technical Analysis

Taking a closer look at the fraudulent traffic, we observed:

  • Specialized pages with stacked ads to maximize campaign efficiency (explained below)
  • Re-infection of the victim via additional exploit kits (Magnitude and Neutrino)
  • Fake views of content on social sites, including videos with a clear political agenda

We'll start from the beginning…

A compromised website, offering assistance to tourists, included an injected iframe in one of its pages, which led victims to the Angler EK:

9429_5985b74e-07a6-457e-b9f4-088fded94ca6

Upon opening its heavily obfuscated landing page, we found Angler first exploring the victim's machine, looking for hints of installed AV products…

9892_71065455-a11e-4796-a54f-8ce263a71bf0

…and for hints of development tools which are also used by security researchers:

10152_7ba8fc8e-e586-4ea0-a479-8e7568db8cd2

The kit's administrators want to avoid serving exploits and malware that AV products or security researchers could identify in order to stay "under the radar" as long as possible.

By exploiting CVE-2013-7331—a vulnerability in Microsoft.XMLDOM ActiveX control affecting unpatched versions of Internet Explorer versions 11 and earlier—remote attackers can determine the existence of local paths, which will indicate the presence of certain software.

In this case the attacker unexpectedly ignored the enumeration results and served the following exploits:

  • CVE-2014-6332 (OleAut32.dll vulnerability)
  • CVE-2015-0313 (Adobe Flash Player vulnerability)

That's great for us because we were able to observe the exploitation of VM despite our using VirtualBox and a standard installation of Fiddler, both of which were running in the background at the time of the exploitation. It definitely helps researchers when cybercriminals get sloppy!

This instance of Angler exploited CVE-2014-6332 in an interesting way. This vulnerability is exploited in general using array re-dimensioning in VBScript. What's noteworthy in this case is the back-and-forth communication between the VBScript and the JavaScript code:

  • The VBScript itself is "hidden" in heavily obfuscated JavaScript, which appends a "VBScript" object to the HTML body.
  • The VBScript, when executed, calls a JavaScript routine that enumerates the IE and Windows versions and then calls another JavaScript routine that returns a base64 decoded Shellcode.

The exploitation of our machine resulted in a Bedep trojan running in memory.

Now fasten your seatbelt because here things get even more interesting.

Here Bedep has launched massive ad fraud activities:

12328_e5841c87-86e8-4adb-bb3a-a673b9398678

The trojan constantly communicates with its command-and-control server (C&C) receiving new browsing targets with a set of detailed http headers to be used in the request:

9955_73d8e162-9bd1-411f-b112-8aa2b909cd91

The objective of ad fraud is to generate fake traffic to ads and receive compensation based on traffic volume. Obviously, more compromised computers leads to more traffic directed to the ads which leads to more revenue for the fraudster. Usually the party that pays for ad views will perform validity checks to filter out invalid ad impressions. To work around some of these checks, the C&C will specify fake "valid" referrer information for the trojan to use. Ad impressions should originate from some publishing website, and therefore so should the HTTP request carry the referring website's URL.

Some of the redirections lead to innocent-looking sites like "careyourpet.net" which, if browsed directly, looks like this:

9614_633a258c-c54b-4383-97a1-c0f3479c6f4e

 

If browsing the site using the C&C's specified referrer, a completely different looking web site is loaded:

8183_1b437c0b-2f4b-4a95-8b74-d1423485fa53


The appearance of the page coupled with associated WHOIS information being protected and the domain being registered only recently (December 2014) leads to the conclusion that this page is not a standard website. This sort of page seems to be a specialized page deployed by the malware campaign team to display dozens of ads aimed at maximizing the efficiency of their ad-fraud campaigns.

This technique is actually nothing new and was previously employed by operators behind the TDSS botnet, and it still works.

What's different than the TDSS-based botnet is a technique used to hide the malicious activity from the legitimate user. Bedep creates a hidden virtual desktop that hosts the Internet Explorer COM window invisibly. That hidden window functions as a fully featured Internet Explorer instance. We used a handy tool called CmdDesktopSwitch to view the hidden desktop.

12848_fc1a9503-dc0e-4b3c-9bc5-5712c0cfdcbd

Virtual Desktop example #1

10430_88f7da35-c165-4477-86da-11e938233089

Virtual Desktop example #2

Taking a closer look at the generated traffic reveals another surprise - our already infected machine was redirected by the C&C to the Magnitude exploit kit:

9957_73dc8757-782c-4961-90c6-7863a5f8fdd6

And if tripping on two different kits is not enough, down the roller coaster of our ad-fraud traffic we see another redirection to yet another kit– an instance of the Neutrino exploit kit:

11453_b9fe4f7a-6ce8-4352-8c7c-475fe28be774

An exploit kit without traffic is like a boat in the desert – useless. Therefore, criminals, who use exploit kits to spread their malware, need traffic and usually buy it from other fraudsters. It seems that the guys behind this particular C&C are trying to maximize their profit by selling traffic from compromised computers to other campaigners that seek to spread their own malware via Magnitude and Neutrino. Just to make it clear: An already infected computer is visiting ads silently without the user's consent, and gets re-infected over and over again.

At first we thought this was a case of "ad-fraud meets malvertising," but upon a closer look we saw this exact behavior repeating itself across multiple cases we examined. The redirection chain from the initial C&C to the provided target URL is just one hop away from the landing pages we mentioned – leading us to believe that it's the botnet operator's objective.

Both Rami Kogan and Arseny Levin conducted the research from which this post was developed.

Trustwave Secure Web Gateway and Trustwave Managed Anti-Malware Service protect users from this attack with no need for any updates.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More