Recently observed malvertising campaigns leveraged the same redirection gate to take users from all around the world to the landing page of the Neutrino exploit kit, Cisco Talos researchers reveal.
Just as other malvertising campaigns, these operations involved malicious ads, an initial redirection point or gate, and an exploit kit to infect users with malware. In these campaigns, Cisco reveals, the redirection was performed through ShadowGate / wordJS, called this way because it uses domain shadowing to host its activity.
The gate has been observed for the first time in 2015 and stands out not because of the high volume of traffic it registers, but because only a small fraction of the interactions with it actually lead to infection. Another particularity of this gate is that it tends to go dark for random periods of time, after which it returns and continues redirecting users to exploit kits (EKs).
Originally redirecting to Angler, the gate’s traffic is not bound to Neutrino, Cisco says. While ShadowGate has used numerous domains over the past year, it has used only several during the month of August, including: merrybrycemas[.]com, hillarynixonclinton[.]net, phillyeagleholic[.]com, eagleholic[.]com, and hillarynixonclinton[.]com.
The gate isn’t sophisticated, researchers say. An iframe is set to be rendered “several feet to the left and several feet above the screen,” leading to a page associated with Neutrino. There, the EK landing page checks whether Flash is installed and a Flash exploit is served. Thus, if Adobe Flash Player is not installed on the target machine, the infection doesn’t take place.
One of the malicious ads used in this campaign was observed on a site related to precious metals and their values, goldseek[.]com, and it had the iframe that is typical to the campaign. Further analysis revealed that a wide range of sites were compromised, including several Chinese sites that are related to Information Technology, such as 51cto[.]com and elecfans[.]com.
According to Cisco, they “rarely find examples of full Chinese language sites serving malicious ads and compromising users via exploit kit gates.” Other Chinese and New Zealand sites were also impacted, including theregister[.]co[.]nz. This site, researchers say, also showed SSL traffic involved, which suggested that an ad stream might have been compromised, as opposed to a single malicious ad being used, mainly because all ads had the malicious iframe added to them.
After discovering hundreds of similar cases for compromised New Zealand and Australian sites, researchers discovered that the Middle East was also impacted, such as alhilal[.]com, a website for a football/soccer team based out of Saudi Arabia (the site is in full Arabic).
Next, the malicious ads were found on the website of a major US University, the Newspaper webpage for a large US city, a Polish forum for bicycle enthusiasts, and the website for a large city in Canada. Pages associated with financial information, gun auctions/sales, and smoking enthusiasts, as well as instances related to “Adult” websites were also found.
“Once the investigation was complete Talos had found a sophisticated, global, diverse malvertising campaign that potentially could have impacted millions of users based on the reach and popularity of the sites they impacted. It widely affected Europe, Asia Pac, Middle East, and United States. This was a global attack indiscriminately compromising users around the world,” researchers say.
Working together with GoDaddy, because this was the registrant for domains hosting ShadowGate, the researchers were able to mitigate the threat. The malvertising campaign appears to have been shut down and the malicious activity stopped. However, researchers fear that the campaign will reemerge after staying dormant for a little while.
After shutting down this nefarious activity, Cisco observed a second malvertising campaign, using a different set of registrant accounts and targeting Europe, with many Italian, Spanish, Bulgarian, Swedish, and Slovakian sites impacted by it. Several Israeli sites were also seen serving the malicious ads, researchers say. Although the URL structure changed after the initial takedown and the syntax had a couple of subtle variations, researchers were able to gather enough information on the campaign to take it down as well.
“Just like any other portion of an exploit kit infection chain, the adversaries will continue to evolve,” Cisco’s researchers note. “Users aren’t left with a lot of options related to this threat. Ad blockers are an option, but as we’ve seen some sites are already taking a stand against ad blockers because they eliminate a primary revenue stream. In the case of Neutrino, users can simply uninstall Adobe Flash from their systems entirely. This is yet another reason to remove a plugin that is increasingly becoming obsolete in regards to rendering the images, games, and videos on the Internet today.”
