Cyphort Labs reached out to Simpleviewinc.com on July 2, but as of today, we have not received a response or acknowledgement.

Serving malware/exploit using Ad network is a common problem in recent years, and threat actors have special interest on DMO Ad networks during summer holidays and long weekend holidays because more users are looking for travel information during those times, providing a large audience for exploitation. It is a serious enough issue that the US Senate discussed the hazards of this form of malware delivery mechanism and its implications for consumer security in a recent report.

With the increasing complexity of Ad syndication and dynamic content creation, we anticipate more incidents of infection delivered through Ad networks. We strongly encourage Ad network providers take steps to enhance their security monitoring on the Ads content in order to build a more secure ecosystem for all. If you have any interaction with Ad Network or DMO sites, we encourage you to read and share this post, and if anyone does business with Simpleviewinc.com, whether they respond to us or not (and we hope they do), encourage them to address our findings.

Here’s how the attack works:

Each tourist destination is promoted by a DMO. Mostly it is a Government organization or Government subsidized organization. Most of the content to the DMO website is provided by the backend providers like Destination Travel Network (DTN)

DMO-1
We analyzed a few of the incidents where malicious Ad injected to the DMO websites and other leisure activity websites. The exploit delivery pattern is common across all the injections. In all these incidents, we noticed that the actors used one single central server to deliver exploits from his “cluster of domains”. We were able to correlate this “pattern” with other non-leisure website infections too. The actors have very good control over various Ad networks. Some of the domains from Italy/UK also served exploits from his “cluster of domains”.

DMO-2

List of DMO’s served malware around the July 4 holiday weekend:

Screen-Shot-2014-07-21-at-9.18.40-PM

List of DMO’s uses Simpleviewinc’s Ad Servers:

  • www.seemonterey.com
  • www.visittucson.org
  • www.visitmyrtlebeach.com
  • www.southshorecva.com
  • www.tourismvictoria.com
  • www.visitokc.com
  • www.catchdesmoines.com
  • www.denver.org
  • www.fortworth.com
  • www.gowichita.com
  • www.maconga.org
  • www.thisiscleveland.com
  • www.tourismrichmond.com
  • www.valleyforge.org
  • www.visitaggieland.com
  • www.visitdallas.com
  • www.visitestespark.com
  • www.visitgreenvillesc.com
  • www.visithamiltoncounty.com
  • www.visitpittsburgh.com
  • www.visitrichmondva.com
  • www.visitrochester.com
  • www.visitsaltlake.com
  • www.visittucson.org

So it is very likely that a number of the above DMO websites also have served the exploits around the same time. List of other websites that are affected in the same infection campaign:

Screen Shot 2014-07-21 at 9.21.01 PM We believe the actors behind these infection sites are from the same group. They share a common infection pattern and their infection chain uses the same servers.

Technical Details:

The exploit pack is fingerprinting JAVA/PDF/Flash versions and delivers exploits based on the vulnerable applications. It delivers multiple exploits for all the vulnerable applications in attempt to maximize the chance of infection. It is built from the Nuclear Pack exploit kit.

www.seemonterey.com infection chain:

DMO-3

www.visittucson.org infection chain:

DMO-4

It infects the machine with following application versions:

  • JRE 6
  • JRE 7u17 and less
  • JRE 7u21
  • Flash 11.9.900.170
  • Flash 12.0.0.38
  • Flash 12.0.0.43
  • Flash 13.0.0.206
  • Adobe Reader 8
  • Adobe Reader 9.3
  • IE 8/9/10

The vulnerabilities it tries to exploit include:

Java – CVE-2013-2465 and others

SWF – CVE-2014-0515

PDF – CVE-2010-0188

IE – CVE-2013-2551

The hashes of Droppers:
1937039ABC019DE0A7AB9FEC2A89AE29
E1768CE2A08FD4116A16961E5158E284 (Win32.Cidox)

As of writing, both of these droppers from exploit chain are detected by AV vendors.

The sample dropped through www.visittucson.org (MD5: E1768CE2A08FD4116A16961E5158E284) is a rootkit that overwrites the MBR and NTFS loader. Once executed it overwrites part of NTFS loader and reboots the machine and loads a driver to control various processes. We see a similar behavior as mentioned in this blog. This payload decodes a “shellcode” from resource section into memory and executes it.

DMO-5

Decoded using following operation:

DMO-6

This “shellcode” uses process hollowing technique to create another process to do the malicious activities.
00410B37 50 PUSH EAX ; UNICODE “C:\sample\exe.exe”
00410B38 53 PUSH EBX
00410B39 FF95 2CFEFFFF CALL DWORD PTR SS:[EBP-1D4] ; kernel32.CreateProcessW
….
00410B58 FFB5 48FEFFFF PUSH DWORD PTR SS:[EBP-1B8]
00410B5E FF95 3CFEFFFF CALL DWORD PTR SS:[EBP-1C4] ; kernel32.GetThreadContext

It copies data to remote process using writeprocessmemory

DMO-7

It copies itself to suspended process using writeprocessmemory
00410C25 FF95 54FEFFFF CALL DWORD PTR SS:[EBP-1AC] ; kernel32.WriteProcessMemory

It uses SetThreadContext and ResumeThread to start new processes.

DMO-8

The hash of the second process/file is b0ee70b4c5f46fd61aa7d5e35feac801. It overwrites MBR/NTFS loader.

DMO-9

DMO-10

Again: With the increasing complexity of Ad syndication and dynamic content creation, we anticipate more incidents of infection delivered through Ad networks. We strongly encourage Ad network providers take steps to enhance their security monitoring on the Ads content in order to build a more secure ecosystem for all.

I like to thank Abhijit Mohanta and other Cyphort Labs colleagues for helping me in analyzing this campaign.