Rewterz Threat Alert – Malvertising Campaigns Revive With New Delivery Methods

Severity

Medium

Analysis Summary

After a long while, Malvertising campaigns are back with their exploit kits. A fallout exploit kit campaign is discovered distributing the Raccoon Stealer via high-traffic adult sites. After being reported, the same threat actor came back again using the RIG exploit kit instead.Then the largest campaign was launched recently on top site xhamster[.]com from a malvertiser who managed to abuse practically all adult ad networks. The campaigns are targeting users running Internet Explorer without any particular geolocation restriction, although the majority of victims were in the US. In this campaign, the crooks abused the popular ad network ExoClick by using different redirection pages. Simple server-side cloaking performs the redirect to a Fallout exploit kit landing page which attempts to exploit CVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) before dropping the Raccoon Stealer. Another domain websolvent[.]me also became active but used a different redirection technique, a 302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon Stealer. 

The second malvertiser (‘malsmoke’) is another one whose end payload is often the Smoke Loader malware. The gates used by this group also use a decoy site and over time they have registered domains mocking ad networks and cloud providers. The redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some client-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP addresses. Interestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader. 

Impact

• Credential Theft
• Theft of Sensitive Information

Indicators of Compromise

Domain Name

• bumblizz[.]com
• surdised[.]com
• einlegesohle[.]com
• encelava[.]com
• krostaur[.]com
• uneaskie[.]com
• adexhangetomatto[.]space
• canadaversaliska[.]info
• 2831ujedkdajsdj[.]info
• dkajsdjiqwdwnfj[.]info
• 928eijdksasnfss[.]info
• leiomity[.]com
• chinadevmonster[.]top
• websolvent[.]me
• intica-deco[.]com

MD5

• 91879bdd73625ac38c31fe5225310e92
• 28e1ea946d629fdb8736f84deb39533a

SHA-256

• 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b
• b289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c

SHA1

• a007b979483ee6b57b93a11340932a60f5781570
• 2317821cb4531bd8c82ad27758dc91b396e74716

Source IP

• 34[.]105[.]147[.]92

URL

• http[:]//surdised[.]com/coexo[.]php
• http[:]//bumblizz[.]com/auflexexo[.]php
• http[:]//krostaur[.]com/jpflexo[.]php
• http[:]//einlegesohle[.]com/indexx[.]php
• http[:]//krostaur[.]com/jpexo[.]php
• http[:]//leiomity[.]com/usflexexo[.]php
• http[:]//bumblizz[.]com/auexo[.]php
• http[:]//surdised[.]com/usexo[.]php
• http[:]//chinadevmonster[.]top/gate/log[.]php
• http[:]//krostaur[.]com/jpflexexo[.]php
• http[:]//leiomity[.]com/usexo[.]php
• http[:]//bumblizz[.]com/usexo[.]php
• http[:]//bumblizz[.]com/usflexexo[.]php
• http[:]//leiomity[.]com/ukflexexo[.]php
• http[:]//bumblizz[.]com/caflexexo[.]php
• http[:]//leiomity[.]com/ukexo[.]php
• http[:]//34[.]105[.]147[.]92/gate/log[.]php
• http[:]//bumblizz[.]com/caexo[.]php

Remediation

• Block the threat indicators at their respective controls.
• Keep all products patched against all known vulnerabilities.
• If you’re using Internet Explorer, migrate to a modern and fully supported browser.