HackDig : Dig high-quality web security articles for hackers

LAWeekly, HuffingtonPost hit by malvertising via AOL Ad-network once again

2015-02-03 09:00

This Saturday, January 31, 2015 Cyphort Labs detected a malvertising campaign with infections on multiple websites, including the website of Huffington Post (a news aggregator and blog site with more than 51 million monthly visitors). This is a continuation of the attack we have previously reported in early January.

This weekend Cyphort crawler observed a 400% spike in the number of daily infections discovered.

 domainsperday1

The list of the websites infected in this campaign:

  • www.huffingtonpost.com 
  • www.laweekly.com
  • www.indiedb.com 
  • www.dramago.com 
  • www.animetoon.tv 
  • www.spoilertv.com 
  • www.sbcodez.com

The summary of the events:

1.  Huffingtonpost.com was hosting an ad from an AOL ad-network [adtech.de]
2. The ad redirected through multiple hops, including an SSL redirect.
3. The landing page served an exploit kit – likely Sweet Orange.
4. The exploit kit served many exploits including an IE exploit (CVE-2013-2551) exploit. 
5. The exploit downloaded a Kovter Trojan executable.

This Kovter variant is only slightly different from the one we detailed in the January 16’s blog.  The differences are:

The Kovter binary MD5: 624a3017d321e39a871b51f596ef5c2c

CNC Servers:

  • b12-luxe.ru/12/download.php
  • 195.238.181.17/12/index.php
  • http://91.212.124.167/12/main.php

RC4 Key: “8047e6e4f3aef994e0f84d46000col”

Again attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack.  This time the HTTPS redirector was hosted on Microsoft Azure.

azure1

 

The whole infection chain for huffingtonpost.com was:

1   http www.huffingtonpost.com
2   http adserver.adtech.de
3   https checkmyip.azurewebsites.net 
4   http goodwebbynetwork.com
5   http multiple .PL redirects

 

Adtech.de advertising platform is owned by AOL, we have notified AOL abuse and security team.

Apart from AOL’s adtech.de we have also seen two other advertising networks involved in this campaign:

This malvertising campaign is still active with the latter two advertising networks. We have not seen adtech.de infections since February 2.  

 Cyphort Labs is monitoring this malvertising campaign and will share more results as soon as they become available. Special thanks to McEnroe Navaraj, Alex Burt and the Cyphort Labs team for their help in the discovery and analysis.

The post LAWeekly, HuffingtonPost hit by malvertising via AOL Ad-network once again appeared first on Cyphort.


Source: /niaga-detcefni-tsopnotgniffuh/moc.trohpyc.www

Read:3000 | Comments:0 | Tags:Uncategorized CVE-2013-2551 Exploit Web Infection

“LAWeekly, HuffingtonPost hit by malvertising via AOL Ad-network once again”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud