Since early 2015, FireEye Labs has observed a highly active malvertising operation involving Bedep ad fraud activity and malicious redirection to Exploit Kits (EK) via a multitude of advertising and search-affiliated domains. Among the exploit kits being redirected to are well-known names like Angler, Magnitude, Nuclear and Rig, each redirection to an EK sharing a common link. We believe this particular operation has been active since at least mid 2014, if not prior, and is still very active at time of this writing.
At the core of the activity is the Bedep Trojan. Once infected, the system kicks into action with behavior similar to the following:
- Infected systems covertly engage in ad fraud activity
- High volume of requests made to affiliate / ad networks
- Rogue ad networks eventually redirect system to malicious redirect host
- Malicious redirect host (a.k.a. cushion server) redirects system to EK
- System is re-infected with malware (on top of existing infections)
- Cycle repeats
Bedep’s network activity has been documented in other security blogs here and here; this blog's focus is more on the scope of malvertising and redirection activity involving the particular networks that lead to the Exploit Kits.
FireEye’s Dynamic Threat Intelligence captured a lot of Bedep referrer action over the past few months that confirmed the connection to malvertising activity and exploit kits, on top of the advertising click fraud that Bedep is known for.
Requests to the rogue ad networks will have a specific Bedep referrer. From there, a wild maze of redirection takes place, bouncing the browser from domain to domain until the final destination is reached.
Figure 1 – Brief overview of domain / IP architecture for systemaffiliate.com
The connections to the systemaffiliate[.]com domains resolve IP space based out of Canada (AS25948). The traffic is distributed across five IPs.
Reverse DNS on the five IPs shows they resolve to multiple hostnames, including names that reference characters from the Teenage Mutant Ninja Turtles franchise.
Figure 2 – Some of the domains / host names associated with the five IPs
Note that although it has been the most active, click2.systemaffiliate[.]com was not alone in its redirection mischief. click2.danarimedia[.]com preceded it in redirecting to Exploit Kits in the exact same manner; it is also linked to the same five IPs.
Figure 3 – Overview of domain structure for danarimedia.com
There are many more redirection domains linked to these IPs, both past and present. We can follow the recent trail of redirection domains via Passive DNS.
Figure 4 – VT’s passive DNS info for one of the associated IPs
Visible at the top is a new member on the block, click1.searchandclick.space, which as you probably guessed, resolves to the same IPs.
Once the request is made to one of the redirection domains hosted on the 199.212.255 net block, you are again redirected (multiple times over), until you reach a server that instructs your browser to load an exploit kit landing page resulting in infection.
Figure 5 – Example series of requests made to one of the 199.212.255.x hosts
We saw exact same behavior for the other “click2” sub domains. All the “click2” prefixed sub domains are built on the same server framework, Web Ninja, which seems fitting considering the earlier Ninja Turtle reference.
Ironically enough, during our analysis we discovered that the IPs and malicious redirect domains are all on the same IP network as a commercial advertising platform that offers a variety of services from PPC to anti-fraud analytics for advertisers.
Figure 6 – Anti-ad fraud defense service on same malvertising network?
This could be an indication that yet another ad platform has been overrun by malvertisers, although it is highly suspicious how most of the redirection activity all points to a single netblock owned by the same entity and continues to proliferate.
As we examine the data, we see the redirects from 199.212.255.x using a seemingly endless rotation of destination domains associated with ad traffic and search. All ultimately lead to exploit kits -- most notably Angler and Magnitude -- but we also saw activity involving Nuclear, Rig and other EK’s in the mix.
We observed over 220 unique destination IPs being used (and re-used) for redirection by the “click2.” prefixed sub domains alone.
Some of the most active destination (or 'cushion servers' as they are commonly referred to) domains leading to EK’s include (but are not limited to) the following. As you will notice, some domains redirect to more than one EK.
Rig / Other
From these domains, traffic then gets sent to the various exploit kits in a manner similar to the following:
Of all the EK activity, Magnitude was definitely the most active amongst the EK’s being redirected to.
The Rig EK infection was interesting as it leveraged Google’s URL shortening service to hop users to additional malvertiser domains before finally reaching the Rig landing page.
The current URL linking to Rig appears to be goo[.]gl/F0O6DN. Hitting this URL immediately sent us to a series of rogue advertising servers before we finally landed on Rig.
Figure 7 – Rig Exploit Kit Infection chain using Google URL shortening service
The “click2.” prefixed domains would usually redirect to rogue search sites with keywords in the URL like below. These would lead to a Nuclear EK landing page.
There really seems to be endless EK activity emanating from this netblock. As we mentioned, pretty much every EK is represented and there are likely to be more.
Here is a look the current poster boy for Exploit Kits.
In this infection, the victim has been redirected to to a rogue search domain.
This resulted in another 302 redirect to searchwebfind[.]org, which then redirected yet again to the “news4news” themed domains.
There were multiple combinations of redirection domains & referrer activity, here we see megafinder24[.]info, another rogue domain, leading to Angler.
Figure 8 – Redirection to Angler EK from megafinder[.]info
We observed redirection activity to this currently active Angler exploit kit campaign which uses “news”-themed domains to distribute the downloader Trojan.Poweliks.
Figure 9 – News themed Angler EK attack flow with malware Payload callback
Figure 10 – Example news4news domain, a fake news site that leads to Angler
In summary, this network is bad “news,” no matter how you look at it. The trail of redirection and malicious referers all link back to the 199.212.255 network. There is no question this operation is currently very active and using malvertising on a large scale to send victim computers to top Exploit Kits in the wild.
It is highly advised that this net block be avoided and perimeter security solutions kept up-to-date with the latest security content to prevent Exploit Kit attacks.