Through the last several weeks we've observed an Estonian host at 184.108.40.206 as the target of malicious ad creatives served by various ad servers in Asia.
At least as far back as January 26th we've seen the host receiving traffic from ad servers via several publishing sites in the areas of Indonesia and Malaysia. Various sites running these ads follow:
- www.bisnis.com, foto.bisnis.com, finansial.bisnis.com, business.bisnis.com
- www.infokomputer.com, www.pcplus.co.id
The following sample reports illustrate this malicious ad redirection:
The download page served by the malicious creatives matches a browser navigation manipulation PoC exploit published at exploit-db.com. The exploit allows a web page to cause a browser to download one file while directed to a different page, leaving the navigation bar pointing to a URL at the first location. In the case of this attack, the ads result in the download of a malicious binary executable from a location such as:
The download dialog page is built using media from the same sites as the downloads.
Reports of distributed samples courtesy of VirusTotal:
- b5e91896e93f59917640dbb82ff8ef9d: install_flashplayer12x03_mssd_aaa_aih.exe
- 41/56 | 2014-12-20 | Backdoor.Win32.Androm.fola, Backdoor.Win32.Androm.Aww
- e1bba577472345d5f1a03b139ac6e892: install_flashplayer12x22_mssd_aaa_aih.exe
- 40/57 | 2015-01-14 | Worm:Win32/Gamarue.AN, Backdoor.Win32.Androm.fomt
Based on antivirus vendor detections names, it is likely that the distributed malware is a build of the Andromeda/Gamarue bot. This is a malware loader popular in cybercrime circles for allowing criminals to push various malware installations to compromised systems, abusing them for their desired purposes. In a malvertising attack, this amounts to a portion of the visitors to publishing websites installing software which gives remote attackers control over their computers, placing their systems and data at risk.
At least the following ad servers have been observed serving the malicious ad creatives:
The following sites host the malicious redirection script as well as media for the download dialog and malware loader:
In October 2014, the site www.kenhuntfood.com was observed serving content which largely resembles the same browser dialogs seen with the most recent malvertised activity. Similar UI elements were loaded into the webpage from the site aifadobe.com.