Exploits served via malvertising campaign

Two months ago we released HitmanPro.Alert version 3 at the RSA Conference in San Francisco.

This major new version comes with protection against crypto-ransomware and exploits.

In these two months various companies started using HitmanPro.Alert version 3 to protect exploit-susceptible applications and critical documents against malware and zero-day attacks.

Malvertising campaign
Our telemetry shows that a major malvertising campaign became active since Thursday, June 11th. This is in line with the findings of our colleagues at Fox-IT.

We’ve seen exploits being served through advertisements on these sites:

telegraaf.nl
volkskrant.nl
trouw.nl
parool.nl
dumpert.nl
theguardian.com
huffingtonpost.com
lemonde.fr
elle.com

HitmanPro.Alert 3 has been very successful stopping hundreds of attacks from these sites. Blocking the exploit, preventing malware from entering the PC:

Telegraaf-intercepted

Contrary to antivirus technologies, the exploit mitigation technologies in HitmanPro.Alert require no updates, signatures or prior knowledge of exploit attacks or its payload to defend against it. Internet users do not need to seek refuge in ad blockers as HitmanPro.Alert allows safe use of the web without affecting ad revenue of site owners, publishers and journalists, especially when visitor/victim machines need to (or unknowingly) run outdated or vulnerable software.

standard-interface

Below an excerpt of the technical details of the blocked attacks which shows that many of the attacks originate from Adobe Flash Player:


Mitigation   StackPivot

Platform     6.1.7601/x86 06_2a
PID          5272
Application  C:\Program Files\Internet Explorer\iexplore.exe
Description  Internet Explorer 10

Callee Type  AllocateVirtualMemory
             0x2506C000 (32768 bytes)

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  753A7A1B KernelBase.dll           VirtualAllocEx +0x33
2  753A7A47 KernelBase.dll           VirtualAlloc +0x18

3  54DF7C6F Flash32_17_0_0_169.ocx   IAEModule_IAEKernel_UnloadModule
            f7d8                     NEG          EAX
            1bc0                     SBB          EAX, EAX
            f7d8                     NEG          EAX
            c3                       RET         

Process Trace
1  C:\Program Files\Internet Explorer\iexplore.exe [5272]
   "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3648 CREDAT:209921 /prefetch:2

2  C:\Program Files\Internet Explorer\iexplore.exe [3648]
3  C:\Windows\explorer.exe [1032]
4  C:\Windows\System32\userinit.exe [1532]

Mistress Eve
Our telemetry shows that this specific attack took place between 2015-06-11 17:00 (CET) and 2015-06-15 16:30 (CET). Strikingly, the domain mistresseve.com seems to play a significant role in this attack.

MistressEve

Zooming in on this domain, we logged the following hostnames, which is an indication that the attackers have direct access to the DNS of this domain to create additional hosts:

  • cannonries-anumdecimal.mistresseve.com
  • hesiterionswonderbloem.mistresseve.com
  • klonensahasrabudhe.mistresseve.com
  • primerolereloc.mistresseve.com
  • prost.mistresseve.com
  • pyhnen.mistresseve.com
  • suierveer.mistresseve.com

The hostname pyhnen.mistresseve.com is also mentioned on the Malware Traffic Analysis website, who recorded an attack (.pcap and .zip with malware provided). The attack was carried out by the Angler Exploit Kit (as also confirmed by Fox-IT) and delivered the Bedep trojan through a vulnerability in Adobe Flash Player.

Angler Exploit Kit
The Angler Exploit Kit itself abuses CVE-2013-7331, a vulnerability in Internet Explorer 6 through 11 to determine if the attack takes place inside a research environment, or in the presence of specific security software. If e.g. VMware or VirtualBox is detected, the exploit is not triggered in an attempt to stay under the radar of defenders:

angler-ek

An overview of the domains associated with this particular exploit kit deployment:

aeroballistic.commech.com
cannonries-anumdecimal.mistresseve.com
castrado.bachelorpartiescyprus.com
chinaspring.cherokeealternativeenergy.com
colopexy.ingramelectriccompany.com
decussation.spankinglinks.org
droomgezichtenvergoettertem.deshotelsonline.com
gehamsterde-lampetia.dicksoncompany.com
halowych.cherokeealternativeenergy.com
intraprocess.mypugetsoundhomevalues.com
irrst-1marcelli.humiliatedlosers.com
klonensahasrabudhe.mistresseve.com
knitzopsonogepoang.restaurantdna.com
krammetjefantasieartikelen.deshotelsboudin.com
montiatekbibslaten.pearlafterpearl.com
naskok-readvance.misstiffany.com
objawiac-deifie.spankinglinks.org
obquestionpendant0.cherokeealternativeenergy.com
pasteurizers-slagersbijl.puyalluprambler.info
prophesy-barnesko.rjbremedialschool.com
prost.mistresseve.com
pyhnen.mistresseve.com
reboucheraissretrauq.cameohull.com
singleheartedness.spankinglinks.org
suierveer.mistresseve.com
thaumatologiewelterschuetternden.misstiffany.com
unicamerally-soltex.spankinglinks.org
vankimr-huutomerkkisarjan.rjbremedialschool.com
varkmasels.guicomachineworks.com
vaxii.findhomeinlasvegas.com
versjacherderemobili.apartmentassociationwesternkentucky.org
wreckers-ungerechtfertigteren.harveyspecialtyandsupply.com
xbox.tlitemotherjake.xyz

Bedep malware
This Bedep trojan horse is delivered in-memory. This means that it infects the computer without writing any files to the disk for most antivirus software to find, scan or block. Researcher Kafeine wrote about the file-less Bedep infection on his website Malware Don’t Need Coffee in August last year.

Also, this trojan typically hoists-in additional malware to perform e.g. click-fraud, hurting advertising businesses. So, advertisers are not only put in a bad light because the ad platform is abused to infect thousands of internet users, they also loose money from the fraudulent ad clicks (the advertisers unknowingly pay the attackers).

But, as pointed out by Kafeine, the Angler Exploit Kit can serve each individual victim different malware.

Protect yourselves
You can read more about our HitmanPro.Alert software on this page:
http://www.hitmanpro.com/alert

Leaflet: HitmanPro-Alert-Brochure-2015.pdf

Download
To protect your computers against crypto-ransomware or exploits, download HitmanPro.Alert version 3 from here:
http://dl.surfright.nl/hmpalert3.exe (4 MB).

Comments are closed.

%d bloggers like this: