There has been an interesting battle between two exploit kits in the past few months. Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it. But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume attacks from compromised websites.
Today we spotted a malvertising incident on popular website answers.com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub.com). Contributing to its recent expansion, RIG EK was the go-to exploit kit for this campaign.
Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected without even having to click on it.
Domain shadowing:
- https://ads.retradio.com/www/delivery/afr.php?id=69151&target=_blank&click=http://r.turn.com/{redacted} -> Referer: http://www.answers.com/Q/What_is_Windows_7_loader
Open redirector and RIG EK:
- https://p.rfihub.com/cm?forward=http://speerhaaien.eclouds.co.uk/?wXqBcrWeKB3PAoI=l3SKfPrfJxzFGMSUb-{redacted}
RIG EK, the new Neutrino?
In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary.
This may seem like a minor difference, but it has been Neutrino’s trademark for a long time and used as a way to bypass certain proxies. Below is a comparison of the script Neutrino EK and RIG EK leverage to download the encoded malware binary.
For the past weeks, RIG EK has been observed dropping the CrypMIC ransomware, a payload that Neutrino first served back in July.
More of the same fake advertisers
Threat actors are privileging RIG over its rival Neutrino as it can be seen from various malware campaigns. In the meantime, domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to bypass traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel.
Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs. Running an additional layer of protection, such as exploit mitigation software, ensures that drive-by download attacks leveraging zero-day vulnerabilities are also stopped.
Further reading:
Indicators of compromise:
- ads.retradio.com
- 63.141.242.35
Free certificate from COMODO CA lasts only 90 days and could be issued for free only once.
All the more reason to be running an ad-blocker, especially nowadays, Along with other anti-malware software, it really serves as a first line of defense if the offending ads aren’t being loaded in the first place.
I remember when ads really weren’t that bad, only a few to a page and generally not that invasive. But I started blocking them once they became like 50% (or more) of a page’s content, slowing down browsing especially with auto-playing videos and sounds that FOLLOW YOU AROUND and resist being closed as much as possible. And that was years ago, now with malware potentially lurking anywhere (even on sites that you’d think were secure) it’s even worse.
I ignore any site that I come across that asks me to disable my ad blocker to view their content. It’s not because I’m a “thief” but because it’s too risky NOT to have it on, and generally their anti-adblockers get defeated within days at most. It’s funny how they spend so much time and money trying to shame people into not using ad blockers when they should instead be trying to weed out malware / make ads what they used to be.
If using Firefox, suggest using adblocker Ultimate. Also UBlock Origin. Too many site owners have Adblocker Plus figured out.
A world without Ads is a better world, but i do feel for Websites/Blogs/YouTubers with nice content that fund through Ads. I can think of an Ad “sandbox” addon, instead of blocker. Maybe it’s not possible, maybe no one thought about it due to the “war on ads” mentality, dunno. I’d definitely use it.