The Teenage Mutant Malvertiser Network

Since early 2015, FireEye Labs has observed a highly active malvertising operation involving Bedep ad fraud activity and malicious redirection to Exploit Kits (EK) via a multitude of advertising and search-affiliated domains. Among the exploit kits being redirected to are well-known names like Angler, Magnitude, Nuclear and Rig, each redirection to an EK sharing a common link. We believe this particular operation has been active since at least mid 2014, if not prior, and is still very active at time of this writing.

At the core of the activity is the Bedep Trojan. Once infected, the system kicks into action with behavior similar to the following:

  • Infected systems covertly engage in ad fraud activity
  • High volume of requests made to affiliate / ad networks
  • Rogue ad networks eventually redirect system to malicious redirect host
  • Malicious redirect host (a.k.a. cushion server) redirects system to EK
  • System is re-infected with malware (on top of existing infections)
  • Cycle repeats

Bedep’s network activity has been documented in other security blogs here and here; this blog's focus is more on the scope of malvertising and redirection activity involving the particular networks that lead to the Exploit Kits.

FireEye’s Dynamic Threat Intelligence captured a lot of Bedep referrer action over the past few months that confirmed the connection to malvertising activity and exploit kits, on top of the advertising click fraud that Bedep is known for.

Requests to the rogue ad networks will have a specific Bedep referrer. From there, a wild maze of redirection takes place, bouncing the browser from domain to domain until the final destination is reached.

One of the most active of the redirection domains is click2.systemaffiliate[.]com, which was recently documented by Zscaler here.

    Figure 1 – Brief overview of domain / IP architecture for systemaffiliate.com

The connections to the systemaffiliate[.]com domains resolve IP space based out of Canada (AS25948). The traffic is distributed across five IPs.

    199.212.255.136

    199.212.255.137

    199.212.255.138

    199.212.255.139

    199.212.255.140

Reverse DNS on the five IPs shows they resolve to multiple hostnames, including names that reference characters from the Teenage Mutant Ninja Turtles franchise.

    Figure 2 – Some of the domains / host names associated with the five IPs

Note that although it has been the most active, click2.systemaffiliate[.]com was not alone in its redirection mischief. click2.danarimedia[.]com preceded it in redirecting to Exploit Kits in the exact same manner; it is also linked to the same five IPs.

    Figure 3 – Overview of domain structure for danarimedia.com

There are many more redirection domains linked to these IPs, both past and present. We can follow the recent trail of redirection domains via Passive DNS.

    Figure 4 – VT’s passive DNS info for one of the associated IPs

Visible at the top is a new member on the block, click1.searchandclick.space, which as you probably guessed, resolves to the same IPs.

Once the request is made to one of the redirection domains hosted on the 199.212.255 net block, you are again redirected (multiple times over), until you reach a server that instructs your browser to load an exploit kit landing page resulting in infection.

    Figure 5 – Example series of requests  made to one of the 199.212.255.x hosts

We saw exact same behavior for the other “click2” sub domains. All the “click2” prefixed sub domains are built on the same server framework, Web Ninja, which seems fitting considering the earlier Ninja Turtle reference.

Ironically enough, during our analysis we discovered that the IPs and malicious redirect domains are all on the same IP network as a commercial advertising platform that offers a variety of services from PPC to anti-fraud analytics for advertisers.

    Figure 6 – Anti-ad fraud defense service on same malvertising network?

This could be an indication that yet another ad platform has been overrun by malvertisers, although it is highly suspicious how most of the redirection activity all points to a single netblock owned by the same entity and continues to proliferate.

As we examine the data, we see the redirects from 199.212.255.x using a seemingly endless rotation of destination domains associated with ad traffic and search. All ultimately lead to exploit kits -- most notably Angler and Magnitude -- but we also saw activity involving Nuclear, Rig and other EK’s in the mix.

We observed over 220 unique destination IPs being used (and re-used) for redirection by the “click2.” prefixed sub domains alone.

Some of the most active destination (or 'cushion servers' as they are commonly referred to) domains leading to EK’s include (but are not limited to) the following. As you will notice, some domains redirect to more than one EK.

Angler

Magnitude

Nuclear

Rig / Other

ads.fsrinc. biz

hit.buy-targeted-traffic. com

bbwlesbians.xblog. in

find-everything. info

litle-finder. me

megafinder24. info

searchl. org

searchwebfind. org

truesearchresults. com

webwebfind. com

news4news015. com

news4news14. com

news4news15. com

news4news2014. com

news4news2015. com

 

click2.systemaffiliate. com

click2.danarimedia. com

ado-global. com

ads.fsrinc. biz

click.upperseeker. com

death-tostock. com

find-all. biz

find-everything. info

global-search24. biz

integrosearch. com

litle-finder. me

megafinder24. info

millsearch. net

searchl. org

searchwebfind. org

superior-movies. com

truesearchresults. com

webwebfind. com  

 

click2.systemaffiliate. com

news4news015. com

news4news14. com

news4news15. com

news4news2014. com

news4news2015. com

 

click2.systemaffiliate. com

buyadvertsort. com

buyadvertview. com

buyadvlist. com

dealsadvdeals. com

dealsadvdeals. com

dealsadvdeals. com

buyadvertview. com

From these domains, traffic then gets sent to the various exploit kits in a manner similar to the following:

MAGNITUDE:

Of all the EK activity, Magnitude was definitely the most active amongst the EK’s being redirected to.

RIG:

The Rig EK infection was interesting as it leveraged Google’s URL shortening service to hop users to additional malvertiser domains before finally reaching the Rig landing page.

The current URL linking to Rig appears to be goo[.]gl/F0O6DN. Hitting this URL immediately sent us to a series of rogue advertising servers before we finally landed on Rig.

    Figure 7 – Rig Exploit Kit Infection chain using Google URL shortening service

The “click2.” prefixed domains would usually redirect to rogue search sites with keywords in the URL like below. These would lead to a Nuclear EK landing page.

Nuclear:

There really seems to be endless EK activity emanating from this netblock. As we mentioned, pretty much every EK is represented and there are likely to be more.

Here is a look the current poster boy for Exploit Kits.

ANGLER:

In this infection, the victim has been redirected to to a rogue search domain.

This resulted in another 302 redirect to searchwebfind[.]org, which then redirected yet again to the “news4news” themed domains.

There were multiple combinations of redirection domains & referrer activity, here we see megafinder24[.]info, another rogue domain, leading to Angler.

    Figure 8 – Redirection to Angler EK from megafinder[.]info

We observed redirection activity to this currently active Angler exploit kit campaign which uses “news”-themed domains to distribute the downloader Trojan.Poweliks.

    Figure 9 – News themed Angler EK attack flow with malware Payload callback

    Figure 10 – Example news4news domain, a fake news site that leads to Angler

In summary, this network is bad “news,” no matter how you look at it. The trail of redirection and malicious referers all link back to the 199.212.255 network. There is no question this operation is currently very active and using malvertising on a large scale to send victim computers to top Exploit Kits in the wild.

It is highly advised that this net block be avoided and perimeter security solutions kept up-to-date with the latest security content to prevent Exploit Kit attacks.