Websense® Security Labs™ researchers have been monitoring a mass scale malvertising campaign that leads to Angler Exploit Kit. The attack has affected users browsing to many popular sites, including CNN Indonesia, the official website of Prague Airport, Detik, AASTOCKS, RTL Television Croatia, and the Bejewled Blitz game on Facebook. According to SimilarWeb, these sites have a combined total of at least 50 million visitors per month.
Image 1. Heatmap of geographical locations affected by this malvertizing campaign in May 2015
The following are some of the key features of this campaign:
- Revive Adserver scripts are injected with code
- The injected code is evasive and stealthy
- Angler Exploit Kit infects the victim's machine with malware
- The Bunitu trojan has been used
- At least 50 million users per month are at risk
Websense customers are protected against this threat via real-time analytics with ACE, the Websense Advanced Classification Engine, at the different stages of the attack detailed below:
- Stage 2 (Lure) – ACE has protection against websites injected with malicious content.
- Stage 3 (Redirect) – ACE has protection against known redirects associated with this campaign.
- Stage 4 (Exploit Kit) – ACE has protection against the Angler Exploit Kit and exploit delivery content via real-time analytics.
- Stage 5 (Dropper) – ACE has protection against known Bunitu samples.
- Stage 6 (Call Home) – ACE has detection for command and control infrastructure known to be associated with Bunitu.
What is Revive Adserver?
Revive Adserver is an open source advertizing technology formerly known as OpenX Source. It allows businesses to host and manage their own advertizing services rather than relying on third party services, and it is common for multiple websites to use the same Revive Adserver script.
We have seen compromised Revive Adserver scripts used in malvertising in the past, and seemingly this continues to be a target of interest for cybercriminals.
Angler Exploit Kit Strikes Again
The code injected into the compromised Revive Adserver scripts in this campaign have been seen to lead to the very prevalent Angler Exploit Kit. The injected code is not always sent when the script is requested, making it difficult to detect with automated analysis tools. In addition, Angler Exploit Kit will only serve up the malicious exploit code once per IP in a 24 hour period or so.
Since April we have seen compromised Revive Adserver scripts being used by several highly popular websites, including CNN Indonesia, Detik, Prague Airport, AASTOCKS, RTL Television Croatia, and the official Bejewled Blitz game on Facebook. Some of these only seem to contain the injected code for 24 hours, whilst others have remained compromised for weeks. Recently, we saw an interesting infection chain from the popular Croatian website Forum[.]hr (Alexa 15 in Croatia) which has been using a compromised Revive Adserver script from third-party advertiser ads3.monitor[.]hr
Image 2, 3 & 4. A compromised advertizing script on ads3.monitor[.]hr displays a legitimate advert whilst malicious code executes in the background
The injected code led to a redirect, and then to Angler Exploit Kit which exploited the latest Adobe Flash Player vulnerability (CVE-2015-3090). Recently the exploit kit has been distributing CryptoWall 3.0, Bedep and Necurs but we saw a different payload, a trojan known as 'Bunitu'.
Bunitu Malware Turns Your Machine into a Zombie
The Bunitu malware dropped by Angler caused our infected machine to act as a proxy, in theory allowing our computer's network connection to be used for subsequent malicious activity. Cybercriminals often use this tactic in order to hide their tracks from authorities, behind legitimate users' machines. The SHA1 for the sample we saw is 004e9a3ea2670a76ee90067ff29816c31908e552.
Bunitu drops and loads a DLL within its own process which opens two random ports on the infected machine for a SOCKS5 proxy and an HTTP proxy, and in our case these were ports 8322 & 56100 respectively. It contains a hard-coded call home/command-and-control IP of 85.17.142[.]21:53 which it tries to contact twice in order to report our infection and which ports it has opened on our machine:
Image 5. Bunitu calling home and reporting an infection, along with which proxy ports are opened on the infected machine
The malware also has back-up infrastructure in case the hard-coded call home server is not available. It attempts to resolve nsb.quixjoumnf[.]com, resulting in an IP of 110.201.214[.]114. The hexadecimal value of this IP address is represented in memory as 0x72D6C96E, and Bunitu then XORs this value against a hard-coded value of 0x16EC1A31, resulting in 0x643AD35F. This final value is the hexadecimal representation of another IP, 95.211.58[.]100 which is used as a call home by Bunitu after the initial two attempts to the hard-coded server. This routine can be seen in the following image:
Image 6. Bunitu XOR routine for resolving IP addresses
There are also two more back-up addresses that Bunitu can resolve if nsb.quixjoumnf[.]com does not resolve; here is a representation of how the call home infrastructure is determined:
Bunitu regularly sends heartbeats to its C&C so that it can be determined which machines are currently active and infected.
Advertising networks continue to be a point of focus for cybercriminals, opening up avenues to infect millions of users with minimal effort. The growing nature of evasion, stealth, and variation employed in the malicious code means that it's more important now than ever to deploy a security solution capable of stopping threats at multiple points in the 7 stages kill chain.
Indicators of compromise can be found below.
SWF Exploit: feb33f3a3ac53203697d2b04ddbefa038b199a21
Bunitu EXE: 004e9a3ea2670a76ee90067ff29816c31908e552
Bunitu DLL: fc512fc9ad3501aecf8fab06d2c76447879520d0