Date Tags ad / malware

Through the last several weeks we've observed an Estonian host at 194.204.20.1 as the target of malicious ad creatives served by various ad servers in Asia.

At least as far back as January 26th we've seen the host receiving traffic from ad servers via several publishing sites in the areas of Indonesia and Malaysia. Various sites running these ads follow:

  • www.bisnis.com, foto.bisnis.com, finansial.bisnis.com, business.bisnis.com
  • www.reanaclaire.com
  • kuchingnite.blogspot.com
  • hayleyong84.blogspot.com
  • www.infokomputer.com, www.pcplus.co.id

The following sample reports illustrate this malicious ad redirection:

Details

The download page served by the malicious creatives matches a browser navigation manipulation PoC exploit published at exploit-db.com. The exploit allows a web page to cause a browser to download one file while directed to a different page, leaving the navigation bar pointing to a URL at the first location. In the case of this attack, the ads result in the download of a malicious binary executable from a location such as:

http://ailadobe.com/downloads/install_flashplayer16x43_mssd_aaa_aih.exe

The download dialog page is built using media from the same sites as the downloads.

download dialog page part 1

Download popup dialog markup

download dialog page part 1

Actual browser navigation destinations

Reports of distributed samples courtesy of VirusTotal:

Based on antivirus vendor detections names, it is likely that the distributed malware is a build of the Andromeda/Gamarue bot. This is a malware loader popular in cybercrime circles for allowing criminals to push various malware installations to compromised systems, abusing them for their desired purposes. In a malvertising attack, this amounts to a portion of the visitors to publishing websites installing software which gives remote attackers control over their computers, placing their systems and data at risk.

Technical Indicators

Ads Domains

At least the following ad servers have been observed serving the malicious ad creatives:

  • ads.bisnis.com
  • a.clickme.my
  • ads.pcplus.co.id

Malicious Sites

The following sites host the malicious redirection script as well as media for the download dialog and malware loader:

  • 194.204.20.1/openx/www/images/js/banner.js
  • aibadobe.com
  • aicadobe.com
  • aifadobe.com
  • aigadobe.com
  • aijadobe.com
  • ailadobe.com

Related activity

kenhuntfood.com rogue content

Related content on www.kenhuntfood.com

In October 2014, the site www.kenhuntfood.com was observed serving content which largely resembles the same browser dialogs seen with the most recent malvertised activity. Similar UI elements were loaded into the webpage from the site aifadobe.com.