The HookAds malvertising campaign
Not long ago we wrote about a new piece of malware called ‘Trick Bot‘ which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered another malvertising campaign that started at least in mid August, and which leverages decoy adult portals to spread malware. Internally, we call it the HookAds campaign based on a string found within the delivery URL.
What’s interesting in this specific attack chain is the use of adult sites injected with new rogue ad domains that change quite frequently. However, upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects. In this post, we take a look at the distribution channel and the rogue infrastructure behind HookAds.
Link with previous campaign
There is one distribution path that connects this campaign with the one we previously caught. In fact, much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month. Visitors to the first XXX site will be redirected to the decoy secondary site via a simple malvertising chain.
Malware (Ursnif): 3d26585fac57027df4a68fa282ebfcc818aabb59ae6627325c2c4201cd2d6b80
Converting adult traffic
We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an iframe to adult banner is injected dynamically. The ad is served from a third-party server which performs cloaking in order to detect whether this is legitimate new traffic or not.
Non-targets are served a banner ad which redirects to other adult sites, via legitimate ad networks. However, that same server can also serve a malicious script instead, whose goal is to redirect the victim to the RIG exploit kit (back in August, Neutrino EK was pushed). The overall flow can be summarized in the diagram below:
Fake ad server infrastructure
The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in.
Sponsoring Registrar: EvoPlus Ltd
Name Server: NS[0-9].TOPDNS.ME
Exploit kit and payload overview
This campaign yields a fair amount of traffic that is fed to the RIG-v exploit kit, the latest (VIP) version of RIG EK. One of the early changes with RIG-v was a different landing page from the classic version, with the use of Unicode characters. Another change came more recently with new, less predictable URL patterns.
Below is a decoded portion of the RIG-v landing page (many thanks David Ledbetter) showing the new URL structure (thanks @malforsec for asking me about it).
The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF) which has the following very helpful features:
- Code obfuscation and encryption using our proven technology
- Prevent your SWF from running offline or on other websites
- Allow your SWF to run for a given trial period only
- Protect your SWF with a password
There were a lot of payloads dropped throughout this campaign (for a partial list of hashes, please refer to the IOCs below).
The HookAds malvertising campaign is still running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit.