Cyphort Labs reached out to Simpleviewinc.com on July 2, but as of today, we have not received a response or acknowledgement.
Serving malware/exploit using Ad network is a common problem in recent years, and threat actors have special interest on DMO Ad networks during summer holidays and long weekend holidays because more users are looking for travel information during those times, providing a large audience for exploitation. It is a serious enough issue that the US Senate discussed the hazards of this form of malware delivery mechanism and its implications for consumer security in a recent report.
With the increasing complexity of Ad syndication and dynamic content creation, we anticipate more incidents of infection delivered through Ad networks. We strongly encourage Ad network providers take steps to enhance their security monitoring on the Ads content in order to build a more secure ecosystem for all. If you have any interaction with Ad Network or DMO sites, we encourage you to read and share this post, and if anyone does business with Simpleviewinc.com, whether they respond to us or not (and we hope they do), encourage them to address our findings.
Here’s how the attack works:
Each tourist destination is promoted by a DMO. Mostly it is a Government organization or Government subsidized organization. Most of the content to the DMO website is provided by the backend providers like Destination Travel Network (DTN)
We analyzed a few of the incidents where malicious Ad injected to the DMO websites and other leisure activity websites. The exploit delivery pattern is common across all the injections. In all these incidents, we noticed that the actors used one single central server to deliver exploits from his “cluster of domains”. We were able to correlate this “pattern” with other non-leisure website infections too. The actors have very good control over various Ad networks. Some of the domains from Italy/UK also served exploits from his “cluster of domains”.
List of DMO’s served malware around the July 4 holiday weekend:
List of DMO’s uses Simpleviewinc’s Ad Servers:
So it is very likely that a number of the above DMO websites also have served the exploits around the same time. List of other websites that are affected in the same infection campaign:
Screen Shot 2014-07-21 at 9.21.01 PM We believe the actors behind these infection sites are from the same group. They share a common infection pattern and their infection chain uses the same servers.
The exploit pack is fingerprinting JAVA/PDF/Flash versions and delivers exploits based on the vulnerable applications. It delivers multiple exploits for all the vulnerable applications in attempt to maximize the chance of infection. It is built from the Nuclear Pack exploit kit.
www.seemonterey.com infection chain:
www.visittucson.org infection chain:
It infects the machine with following application versions:
- JRE 6
- JRE 7u17 and less
- JRE 7u21
- Flash 11.9.900.170
- Flash 184.108.40.206
- Flash 220.127.116.11
- Flash 18.104.22.168
- Adobe Reader 8
- Adobe Reader 9.3
- IE 8/9/10
The vulnerabilities it tries to exploit include:
Java – CVE-2013-2465 and others
SWF – CVE-2014-0515
PDF – CVE-2010-0188
IE – CVE-2013-2551
The hashes of Droppers:
As of writing, both of these droppers from exploit chain are detected by AV vendors.
The sample dropped through www.visittucson.org (MD5: E1768CE2A08FD4116A16961E5158E284) is a rootkit that overwrites the MBR and NTFS loader. Once executed it overwrites part of NTFS loader and reboots the machine and loads a driver to control various processes. We see a similar behavior as mentioned in this blog. This payload decodes a “shellcode” from resource section into memory and executes it.
Decoded using following operation:
This “shellcode” uses process hollowing technique to create another process to do the malicious activities.
00410B37 50 PUSH EAX ; UNICODE “C:\sample\exe.exe”
00410B38 53 PUSH EBX
00410B39 FF95 2CFEFFFF CALL DWORD PTR SS:[EBP-1D4] ; kernel32.CreateProcessW
00410B58 FFB5 48FEFFFF PUSH DWORD PTR SS:[EBP-1B8]
00410B5E FF95 3CFEFFFF CALL DWORD PTR SS:[EBP-1C4] ; kernel32.GetThreadContext
It copies data to remote process using writeprocessmemory
It copies itself to suspended process using writeprocessmemory
00410C25 FF95 54FEFFFF CALL DWORD PTR SS:[EBP-1AC] ; kernel32.WriteProcessMemory
It uses SetThreadContext and ResumeThread to start new processes.
The hash of the second process/file is b0ee70b4c5f46fd61aa7d5e35feac801. It overwrites MBR/NTFS loader.
Again: With the increasing complexity of Ad syndication and dynamic content creation, we anticipate more incidents of infection delivered through Ad networks. We strongly encourage Ad network providers take steps to enhance their security monitoring on the Ads content in order to build a more secure ecosystem for all.
I like to thank Abhijit Mohanta and other Cyphort Labs colleagues for helping me in analyzing this campaign.