The HookAds Malvertising Campaign

The HookAds Malvertising Campaign by Jérôme Segura of Malwarebytes The HookAds Malvertising Campaign

Not long ago we wrote about a new piece of malware called 'Trick Bot' which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered another malvertising campaign that started at least in mid-August, and which leverages decoy adult portals to spread malware. Internally, we call it the HookAds campaign based on a string found within the delivery URL.

What's interesting in this specific attack chain is the use of adult sites injected with new rogue ad domains that change quite frequently. However, upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects. In this post, we take a look at the distribution channel and the rogue infrastructure behind HookAds.

The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. 

Link with previous campaign

There is one distribution path that connects this campaign with the one we previously caught. In fact, much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month. Visitors to the first XXX site will be redirected to the decoy secondary site via a simple malvertising chain.

imageMalware

Converting adult traffic

We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an iframe to adult banner is injected dynamically. The ad is served from a third-party server which performs cloaking in order to detect whether this is legitimate new traffic or not.

Non-targets are served a banner ad which redirects to other adult sites, via legitimate ad networks. However, that same server can also serve a malicious script instead, whose goal is to redirect the victim to the RIG exploit kit (back in August, Neutrino EK was pushed). The overall flow can be summarized in the diagram below:

imageFlow diagram

Fake ad server infrastructure

The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in.

Sponsoring Registrar: EvoPlus Ltd

Name Server: NS[0-9].TOPDNS.ME

185.51.244.206

image

185.51.244.207

image

185.51.244.207

image

Exploit kit and payload overview

This campaign yields a fair amount of traffic that is fed to the RIG-v exploit kit, the latest (VIP) version of RIG EK. One of the early changes with RIG-v was a different landing page from the classic version, with the use of Unicode characters. Another change came more recently with new, less predictable URL patterns.

imageTraffic Papras

Below is a decoded portion of the RIG-v landing page (many thanks to David Ledbetter) showing the new URL structure (thank you, @malfosec for asking me about it).

imageDecoded portion of RIG-v landing page

The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF) which has the following very helpful features:

Code obfuscation and encryption using our proven technology Prevent your SWF from running offline or on other websites Allow your SWF to run for a given trial period only Protectyour SWF with a password

imageSWFLOCK

There were a lot of payloads dropped throughout this campaign (for a partial list of hashes, please refer to the IOCs below).

Conclision

The HookAds malvertising campaign is still running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit.

IOCs

IPs

185.51.244.206

185.51.244.207

185.51.244.208

Domains:

adbreak.info

adsads.info

adsgodzilla.info

adsjam.info

adsloop.info

adspaces.info

adsplaces.info

adsstock.info

adsyndicate.info

adszones.info

adultadspace.info

adultbanner.info

adultmedia.info

adultspace.info

adzones.info

bannerplant.info

basicclicks.net

besthookup.info

betterad.info

bonbonads.info

bonuscpm.info

bonusmedia.info

boostedads.info

brothermedia.info

bucksdelivery.info

bulbcpm.info

canelonads.info

chooseyourads.info

clickandjoy.info

clickerbonus.info

clickspoint.info

cometamedia.info

comspacecom.info

coolads.info

coolbanner.info

cooperloop.info

cozyads.info

crazycpm.info

crazymedia.info

deluxeads.info

doodleads.info

endcpm.info

entropymedia.info

exxtraprofit.info

famousads.info

fancyads.info

ferroad.info

ferromedia.info

findsilver.info

flashspots.info

fortynn.info

foxycpm.info

freehookuper.info

freshcpm.info

freshmedias.info

frogbigfrog.info

front-page.info

frontrows.info

frtyd.info

frtyegt.info

frtyeht.info

frtyff.info

frtyffe.info

frtyfr.info

frtys.info

frtysvn.info

frtysx.info

frtyten.info

fruitsmedia.info

fullpagecpm.info

funnycpms.info

geniusmedia.info

globuscpm.info

gogobanner.info

goldcpm.info

goldenmedias.info

hookupfind.info

hookupmatch.info

hookupsearch.info

hopstops.info

jockermedia.info

kilomedia.info

luxuryads.info

madiabonus.info

mamasmedia.info

mediadelux.info

mediaoffer.info

mediaqboost.info

mediasforest.info

mediashouse.info

mediaspot.info

mediasupply.info

mediaszone.info

mediaszones.info

mediawonder.info

mightycpm.info

mindflash.info

monkeybusy.info

monstercpm.info

multiads.info

okandok.info

pandasmedia.info

papasads.info

parishads.info

penads.info

pointofprofit.info

popularmedias.info

porkymedia.info

postermedia.info

profitbanner.info

promolinks.info

promorobot.info

prormohookup.info

pushtheads.info

randomads.info

rangoomedia.info

rearmedia.info

revolverads.info

richcpm.info

safemedia.info

scrollpgp.com

sensecpm.info

shockdelivery.info

silentmedia.info

silvermedias.info

smarterads.info

sputnikads.info

standupmedia.info

startmedia.info

staycold.info

supperpromo.info

swagads.net

sweeptip.info

swipeflirts.info

swipesflirt.info

takemeup.info

thousandads.info

trafficprofit.info

trustedmedias.info

ugetmore.info

uniquemedias.info

vertigoads.info

whitecpm.info

wideads.info

wildwildmedia.info

yoursbanner.info

zorroads.info

Malware hashes:

329c033b15df3cb41dc9aed57272a0dd125f9c85f027ce2954b620261cf3d074 c15710703cbcbaa17324a69cb274b262795a5bd8700a89b3fa8abcf72e613f50 e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d 83a9f0f488e5f1046c5914b65877fb37e8ae7fa185f334cdc683cbd7e4614869 bd58161f66335f72614982d9f81c999cde3b2da8660e16cec15c298b2a995371 a96b468620ffa3f3a93198d99710c83a575206412e6a958c0c09007fcea05832 746d859772d0a7de26e47e2dfc2bf722eea90f65e0497a0e4d87e06f4ab183b8 c13ece2c81769af954fae66ee89ec0d2491bbb839d22f27bb9b048ea9e460d4a f473c2b4caf126a1b82284e2914838d18005c88a739355b42da16e5dc4caa3f4 124e4608528c013f4e14655d90beee3ded8c8b3aa54356a24d5c483c6818502a 03070471659084b60a05efcd5d252c3d7ed53089522dfbf816868a6eb0c947e4 85dd8381e73474b63aa5d70656cae94b6be5e863b6ff6287d981488538e6b99c 7b6bea5fec6da2782db6ac4d71414a3425d4605bcd8332d2e1f518d6388cae45 e2a2395da1b0ccac51a0ad858a8de95bc7664f753d4b9a86c8f866f8353136e6 4979bbceccbb991c909307d452666168ce660374079e299a13abae02c08960c1 429f1ec2ef25338c33bac28421e6ecb5e436211a7c56396bee3d4398ef4344ee e8abc7a39547bc1d6949bb8e2543bd6caddec8e873c441815a1d6c3ad2d63191 5b62f31b10cd19548ce294929827bf39d5c9c91ce5cc18391308b983363bf80f 94442f616763e37dc0ef7dd8358b80dfc07a4ae2b355c3fd39aa09957b300c78 61304505a4e2fbfc77dd4b6ce3cc01ebb1a6ab2d444b65e415bd9ac22dbeb899