HackDig : Dig high-quality web security articles for hackers

Malvertising on DrudgeReport

2015-04-03 21:10

On March 21, 2015 Cyphort Labs discovered that DrudgeReport.com website was serving malvertising and redirecting visitors to the Hanjuan Exploit Kit.  Multiple ad networks were used  in the redirect chain including AppNexus, Rubicon Project, Advertising.com and CPXI. We have previously reported on a rising trend in drive-by infection through advertisement networks and published slides from our Malware’s Most Wanted webinar on Malvertising.

  drudge11

DrudgeReport is a very popular conservative news site. It is ranked #145 in the USA and #645 globally and is visited by more than 2 million people every day.

drudge22

  The malvertising chain in this case was quite long and used several ad networks: 

 1     start  www.drudgereport.com
 2  ad network     cdn.intermarkets.net
 3  AOL ad network  adserver.adtechus.com
 4  Rubicon ad network  ads.rubiconproject.com
 5  AOL ad network  uac.advertising.com
 6  CPXI ad network  select.brealtime.com
 7  AppNexus ad network   ib.adnxs.com
 8  ad network    www5.smartadserver.com
 9  redirector  www2.pinast.com
 10   exploit kit  www1.tresil.net/sen33/

 

The attack appears to be the same or similar to the one described by our friends at MalwareBytes – Hanjuan EK’s ‘March Madness’ malvertising campaign.

1. First the Java script (Figure A below) decrypts (BASE64) & launches the VB script (Figure B below). 

2. Then the VB Script exploits CVE-2014-6332 to decrypt and launch a PE executable file      

Figure A - Java Script

Figure A – Java Script

Figure B - VB Script

Figure B – VB Script

 

DrudgeReport has been previously involved in malware incidents in the past in both 2010 and 2013

We have reached out to DrudgeReport and notified them about this issue. Cyphort Labs is monitoring this malware injection campaign closely and our analysis is ongoing. We will share more results as soon as they become available. 

 

The post Malvertising on DrudgeReport appeared first on Cyphort.


Source: /gnisitrevlam-troperegdurd/moc.trohpyc.www

Read:3429 | Comments:0 | Tags:Uncategorized malvertising Web Infection

“Malvertising on DrudgeReport”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud