During the past few weeks, malvertising activity was a little bit on the decline, at least within our own telemetry. We were mainly seeing the usual suspects pushing a lot of Magnitude EK related infections and the occasional tech support scam.
However, out of the blue on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:
| Publisher | Traffic (monthly)* |
| msn.com | 1.3B |
| nytimes.com | 313.1M |
| bbc.com | 290.6M |
| aol.com | 218.6M |
| my.xfinity.com | 102.8M |
| nfl.com | 60.7M |
| realtor.com | 51.1M |
| theweathernetwork.com | 43M |
| thehill.com | 31.4M |
| newsweek.com | 9.9M |
* Numbers pulled from SimilarWeb.com.
Rogue domains:
Domain Name: TRACKMYTRAFFIC.BIZ Creation Date: 2016-02-27 Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrant Organization: PrivacyProtect.org IP address: 104.28.18.116 (CloudFlare)
Domain Name: TALK915.PW Creation Date: 2016-02-25 Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrant Name: Rocko Mantas Registrant Organization: Best Media ltd IP address: 104.27.190.84 (CloudFlare)
Ad networks/platforms:
- http://www.trackmytraffic.biz/imp_track?zone=975
- talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.470974263806
-> Referer: http://tpc.googlesyndication.com/safeframe/1-0-2/html/container.html
AppNexus:
- http://www.trackmytraffic.biz/tracker?zone=145&camp=Tapika
- talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.0458697036987
-> Referer: http://lax1.ib.adnxs.com/{redacted}&referrer=http%3A%2F%2Fwww.nytimes.com{redacted}
AOL:
-
http://www.trackmytraffic.biz/imp_track?zone=6899&camp=Vemeo
-
talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.22486335239
-> Referer: http://www.aol.com/_uac/adpage.html
- http://www.trackmytraffic.biz/imp_track?zone=6899&camp=Vemeo
- talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.515004501486
-> Referer: http://optimized-by.rubiconproject.com/a/11648/36322/150620-15.html?&cb=0.49251904142839664&tk_st=1&rf=http%3A//my.xfinity.com{redacted}
Payload:
The first couple of days before this campaign went big, we observed a few hits on smaller publishers that were pushing the RIG exploit kit:
fg.lazarus-designs.com/?xXmNd7GZKxbIA4A=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7cfAEOBo3lukyLNHeJ5yw0SH6jcGmr8dV1xC5VkRlPjPBKqE -> Referer: http://www.quoka.de/tiermarkt/fische-aquaristik/c5120a160897102p105457703/aussenfilter-tetra-ex600.html
On Sunday, when the attack really expanded, the Angler exploit kit was then used:
noblitt.petalsandpaintdrops.com/topic/80972-degrease-arranging-micturition-stupidly-toast-visible-roadworthy-monotonicity/
-> Referer: http://lax1.ib.adnxs.com/{redacted}&referrer=http%3A%2F%2Fwww.nytimes.com%2F2016%2F03%2F13%2Fus%2Fpolitics%2Fdonald-trump-campaign.html%3Femc%3Dedit_th_20160313%26nl%3Dtodaysheadlines%26nlid%3D69859133%26_r%3D0
Angler EK has gone through several changes lately, in its URI patterns but also in the landing page itself. It is also the only one to use a recently patched Silverlight vulnerability.
Malwarebytes Anti-Exploit blocks the malvertising attack when it launches the exploit kit:
March 15, 2016 | BY Jérôme Segura
Full Article:
Source: Large Angler Malvertising Campaign Hits Top Publishers | Malwarebytes Labs
Linux Security Blog 