wnd.com driveby

WND malvert

wnd.com ad tag

Ad tag

Through December we've observed the FinancialContent ad server at ads.financialcontent.com directing visitors to malware distribution infrastructure.

Early in the month we confirmed ad creatives leading to drive-by download attacks via the Sweet Orange exploit kit, as seen in this incident:

https://sf.riskiq.net/bl/85369800/cd46d3d01a619e40?_sg=VkbnjgRRAsPGt6d0N4EbdA%3D%3D

By December 9th we began to identify the same traffic distribution driving visitors to the Angler exploit kit:

https://sf.riskiq.net/bl/86399014/cd46d3d01a619e40?_sg=1xp1nuT0nueVI4HWbtVrhA%3D%3D

The following sites are among numerous that have been identified as displaying malicious ad creatives:

  • studio-5.financialcontent.com
  • markets.financialcontent.com/stocks/quote?Symbol=WFC
  • markets.housingwire.com/housingwire/markets
  • www.fox28.com/category/36210/tax
  • www.siliconvalley.com/
  • www.dailyherald.com/lifestyle/food/
  • www.newschannel6now.com/
  • www.statejournal.com/category/120376/lifestyle
  • www.wnd.com/markets/stocks/

Aside from direct ad display drive-bys malverts, which transparently redirect site visitors to malicious sites in the background without their knowledge, another common vector observed with FinancialContent is a delayed drive-by from ticker data hyperlinked from other sites. A common source of this activity is the press release aggregator site PR Newswire, which regularly links to ticker symbol widgets on FinancialContent. Anyone clicking these ticker links also activates ad delivery from FinancialContent, potentially setting in action the malvert and resulting drive-by downloads, exposing them to malware installation. The following incident illustrates this:

https://sf.riskiq.net/bl/86640836/cd46d3d01a619e40?_sg=FNT5IHfYokzzcVfeEPY7mw%3D%3D

Technical Indicators

This malicious traffic redirection appears to be exploiting users using primarily Angler exploit kit. We observed traffic being rotated across exploit kit URLs by a TDS returning a simple iframe redirection script. Both components (TDS and exploit kit) utilize rogue injected A records within compromised DNS domains, cycling through them at scale to help evade filtering by blacklisting of attacker infrastructure. These attributes are common to ongoing exploit and malware delivery activity observed over several months this year.

Ads Domain

  • ads.financialcontent.com

Ad Server IP Address

  • 38.114.159.36: AS35987 | US | arin | 2005-05-02 | FINANCIALCONTENT-AS-1 - FinancialContent, Inc

TDS Domains

  • bodies.michelebachmann.org
  • concentrations.myownincomeathome.com
  • freed.palmspringsalexander.com
  • consisting.888calc.com

TDS IP Addresses

  • 46.8.16.160: AS29521 | NL | ripencc | 2012-09-25 | CIDR-AS Movenix International Inc.
  • 46.8.16.239: AS29521 | NL | ripencc | 2012-09-25 | CIDR-AS Movenix International Inc.
  • 46.8.16.240: AS29521 | NL | ripencc | 2012-09-25 | CIDR-AS Movenix International Inc.
  • 46.8.23.174: AS29521 | NL | ripencc | 2012-09-25 | CIDR-AS Movenix International Inc.

The following contain additional domains associated with these hosts:

EK Domains

  • zarlatina.kowzam.com
  • epruotsalaistaotterraft.npoincorporator.com
  • aftakdoo.co2fraxellaser.com
  • sijyuu-patition.thefinal-whistle.com
  • fardoun-wolfgangchdsmy.liposuctionexpertnjny.com

EK IP Addresses

  • 5.135.38.169: AS16276 | FR | ripencc | 2001-02-15 | OVH OVH SAS
  • 91.218.229.159: AS48172 | RU | ripencc | 2008-10-21 | OVERSUN Oversun Ltd
  • 178.32.193.221: AS16276 | FR | ripencc | 2001-02-15 | OVH OVH SAS
  • 178.32.193.230: AS16276 | FR | ripencc | 2001-02-15 | OVH OVH SAS
  • 178.32.193.250: AS16276 | FR | ripencc | 2001-02-15 | OVH OVH SAS

The following contain additional domains associated with these hosts:

Related activity

Observed redirection payloads have been seen at least as far back as November of this year. Related resources: