We have been tracking an attack via .eu sites for several days but were missing the final payload. However, this changed when we managed to reproduce a live infection via an ad call coming from popular video streaming site DailyMotion, ranked among Alexa’s top 100 sites.
This malversiting incident happened via real-time bidding (RTB) within the WWWPromoter marketplace. A decoy ad (pictured below) from a rogue advertiser initiates a series of redirections to .eu sites and ultimately loads the Angler exploit kit.
The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim. In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler.
We immediately contacted Atomx, the online media exchange platform used in the ad call, who informed us the issue was coming from WWPromoter and more specifically a malicious buyer (the rogue advertiser) on their network.
The incident was resolved very rapidly once the proper contacts were made and the problem isolated. For this, we would like to them all parties involved in taking such prompt action, therefore limiting the potential damage to innocent users.
This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated than the average incidents we encounter daily. We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment.
Indeed, the problem comes when we suspect foul play but can’t prove it with a live infection. It is difficult to convince ad networks to take action, when on the surface there’s nothing wrong with a particular advertiser.
This is also a reminder that even popular sites with recognized brand names can still be used as a vector to distribute malware.
Malwarebytes Anti-Exploit users were protected against this attack (Flash CVE-2015-7645) which would have dropped Bedep and ad fraud, but possibly other payloads as well.
Technical details
Infection flow
- Publisher: dailymotion.com/video/xv1pn7_the-x-factor-uk-s09e22-live-shows-10-11-2012-part-1_shortfilms
- Ad call: p.ato.mx/placement?v=8&id=9146&size=728×90&type=iframe&b=0&domain=&screen=1600x900x24
&timezone=300&cookies=1&flash=1&r=http%3A%2F%2Fwww.dailymotion.com
%2Fvideo%2Fxv1pn7_the-x-factor-uk-s09e22-live-shows-10-11-2012-part-1_shortfilms - Malvertising: creative.wwwpromoter.com/pop-imp/1491/11672
- Fake advertiser (loads advert picture and JS): {sanitized}.eu/advertising.html
- Fake advertiser (booby trapped JS): {sanitized}.eu/scripts/media.js?
- Fake advertiser: {sanitized}.eu/advertising.html?tm=1449123577264
- Redirector (SSL) to Angler EK: worldbesttraffic.eu/
- Angler EK: ftuifio.vpkoqbs.eu/civis/viewforum.php?f=3s5&sid=vk830.1892qo288&
Fiddler view
If you would like more information about this attack, feel free to contact us via the usual means.
COMMENTS
Pingback: ste williams – Dailymotion hit by malvertising attack as perpetrators ‘up their game’()
Pingback: Dailymotion Targeted by Sophisticated Malvertising Campaign - LIFARS()
Pingback: 【DailyMotion】一般サイトもvvvウイルス(Angler EK)に感染していた事が判明 広告見ただけで感染|2chまとめ-チラ見速報()
Pingback: Start up: more PC decline, apps for 2016, the OLED iPhone delay, cars that snitch, and more | The Overspill: when there's more that I want to say()
Pingback: Daily Motion served malware to its 128m users | ITProPortal.com()
Pingback: Malvertising serves up Angler | Vanquish Merchant Bank News()
Pingback: Fortifying Networks – Malvertising serves up Angler()
Pingback: Malvertising Hits DailyMotion, Serves Up Angler EK()
Pingback: You say promoting, I say block that malware | Xenero()
Pingback: You say advertising, I say block that malware - SOGO Tech News()
Pingback: You say advertising, I say block that malware | KnowNaija()
Pingback: Engadget - Legitimate Work at Home Jobs & Opportunities()
Pingback: You say advertising, I say block that malware – ○○○○●○○○()
Pingback: You say promoting, I say block that malware | Word Wide News()
Pingback: You say advertising, I say block that malware | Lindauer Mac Consulting()
Pingback: You say advertising, I say block that malware | GoldenZine()
Pingback: Forbes asked readers to turn off adblockers then immediately served them malware | Daily Hackers News()
Pingback: Почему онлайн-реклама обречена, а баннерорезки ждет успех?()
Pingback: Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised - Palo Alto Networks BlogPalo Alto Networks Blog()
Pingback: You say advertising, I say block that malware | Tecnologia de mediosdemexico.com()
Pingback: Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised | @PhilipHungCao()
Pingback: Malvertising: what is it and how to browse safely - Security Curated()
Pingback: Angler Exploit Kit介绍(上集) – Hen's Blog()
Pingback: You say advertising, I say block that malware | Article Showcase()