CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Malvertisement – A Nuclear EK Tale

Over the past couple of years delivering malware via advertisements, or "malvertisement," has become one of the most popular methods of distribution for exploit kits. Like most trends in the world of Internet security, the longer it endures - the more sophisticated and complex it gets.

Considering the popularity of online advertising as a whole, it's not surprising to see that nearly all active exploit kits use malvertisements as a distribution channel. Nearly all of the exploit kits of significant volume mentioned in the 2015 Trustwave Global Security Report - Rig, Nuclear, Angler and Magnitude - depended quite heavily on malvertisement.

It seems that for cybercriminals it is, as usual, a matter of return on investment. It is cheaper, easier and more reliable to distribute malicious ads via ad networks that place these ads on sites than it is to compromise high-traffic sites in order to infect their visitors.

For the ad networks, however, this is clearly not profitable. In addition to the reputation damage caused by these ad networks' involvement in delivering malware, legitimate websites that display their ads may stop using them as the result of a malvertisement incident.

So how are these malicious ads finding their way into these networks?

Detecting malvertisement campaigns is not an easy task. Even some of the largest ad networks such as Google and AOL were used, in one way or another, to distribute malware in 2015. Regarding larger ad networks, we often see malvertisement campaigns distributed by affiliates, partners or resellers. These companies, presumably with fewer resources than the big players, seem to be the weak link in terms of examining the ads they distribute.

In order to understand the situation these smaller advertisers are in, let's examine a malvertisement campaign distributing the Nuclear Exploit Kit:

11741_c7d45cb6-b052-4ed4-a09e-04b5eb1e5b4e

The Fiddler session above actually starts one step after what the average user would experience. The first URL is the advertisement itself, which would normally be embedded within a legitimate page. This is because our example was observed on a machine infected with ad fraud malware, which visits ads directly to generate fake ad views. In this scenario, the ad was delivered via the "trafficadventure.com" advertising company. The ad itself redirects to the site "getyourimesh[.]com," which appears to be a site for a WordPress plugin called "Backup Creator":

12303_e4503f13-425f-4aae-b7cc-37c758d9d327

Looking at the real Backup Creator site, we see a resemblance:

12712_f509b3ed-c58c-47fa-bc6b-9c95965ec6d7

So the homepage of the "getyourimesh" site consists of stolen content, making it look legitimate. It is worth noting that this homepage doesn't lead to any malicious content, so the ad network has no reason to suspect any wrongdoing.

Looking at the HTML code of main.php on the same site, however, tells a different story:

9003_4594d162-c531-4b71-8abe-d825a5782ccb

The real "bad guy" in this example is track.php, which performs checks on the requesting client. If the client's user agent is Internet Explorer, it loads an iframe with Nuclear EK. This particular page is not very sophisticated. We've seen pages that perform more complex checks, but it seems that these are enough to go unnoticed by the advertising networks.

From here, this particular site has fulfilled its duties and the rest of the action occurs on a Nuclear EK domain, a hop away from any advertisement.

In this case, the ad network would only detect this attack by:

  1. Examining each and every URL submitted.
  2. Examining the content loaded by each URL using various user agents (and possibly 3rd party plugins or any other checks a page like track.php would choose to perform).
  3. Examining the type of content loaded by it, probably with a security product.

While ideally we'd all like to see this depth of evaluation, it's obvious why an advertisement network of small-to-medium scale might have trouble fulfilling these requirements.

To close the loop and provide the full flow in our example, the Nuclear EK then exploited the machine using CVE-2015-3090, a vulnerability in Flash Player recently integrated into most Exploit Kits, and this Flash exploit then infected the machine with Cryptowall 3.0:

9254_503d79df-7087-45c0-b5de-22f23b99c14a

This is where the story ends.

We should note at this point that we contacted trafficadventure.com regarding this abuse case and they were quick to respond and investigate.

To give a brief summary of this story: An innocent user browsing the Internet, and not clicking any dodgy links or opening suspicious email attachments, could still find themselves at the mercy of ransomware or other malware.

Our advice to end users is to make sure you keep your OS, browser and any 3rd party plugins up-to-date at all times to prevent the exploit of any vulnerabilities.

Customers of Trustwave Secure Web Gateway are protected against this attack.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More