This type of malicious redirection is known as malvertising, where ad networks and content publishers are abused and leveraged to serve ads that redirect users to malicious sites.
Neutrino Attack Chain
The attack starts when the following URL is requested from the Forbes.com website, as depicted in Figure 1:
hXXp://www3.forbes[.]com/test/[redacted]/IWC_ForbesLife_E-Reader_unit/fif.html
The following URLs were seen as referrers in the requests for fif.html:
www.forbes.com/2010/08/24/sabbatical-leave-work-leadership-careers-advice.html
|
www.forbes.com/sites/johnlamattina/2015/04/13/ should-the-fda-require-cv-outcome-studies-for-diabetes-drugs-before-approval/
|
www.forbes.com/search/?q=CSR+articles
|
www3.forbes.com/business/the-worlds-100- highest-paid-athletes/?utm_campaign=highest- paid-athletes-2015&utm_source=yahoo-gemini &utm_medium=referral
|
www.forbes.com/sites
|
www3.forbes.com/investing/the-grateful- graduates-index-2015-the-top-50-roi-colleges/? kwp_0=40495&utm_campaign=the-grateful- graduates-index-2015-the-top-50-roi-colleges& utm_source=FacebookTest1&utm_medium= referral&utm_content=3&kwp_4=231627& kwp_1=186159
|
www.forbes.com/sites/abrambrown/2012/10/29/what-can-close-the-nyse-world-war-presidential-funerals-and-hurricane-sandy/
|
www3.forbes.com/lists/the-richest- person-in-every-state/?utm_campaign=richest-by-state&utm_source=taboola& utm_medium=referral&utm_content=reuters-reuters
|
Table 1. Referrers leading to request for “/test/[redacted]/IWC_ForbesLife_E-Reader_unit/fif.html”
Figure 1. Request to forbes.com; parameters contain URLs for loading ad content
Visible in the parameter, “&lu=” is the encoded URI for a .js file from the host s.flite[.]com (see Figure 2). flite[.]com is another ad platform.
Figure 2. Request to s.flite[.]com
Loading the .js file results in the following iframe being loaded (Figures 3 and 4):
Figure 3. iframe to eminetwork[.]com
Figure 4. Request to eminetwork[.]com
The file FDPU_08_17_15_New_Eng_Educ_Innov contains another injected iframe leading to the Neutrino exploit kit (Figure 5).
Figure 5. iframe to Neutrino exploit kit
This results in loading of the Neutrino landing page that sets up the exploitation stage (Figure 6, as follows):
Figure 6. Neutrino landing page w/ reference to Flash exploit
The exploit page downloads a flash exploit (MD5 e8ce10aab2c0585df10fe9420278e25c) (Figure 7).
Figure 7. Flash exploit being downloaded
The flash contains a set of exploits (shown in Figure 8) in the binaryData, and leverages one of them based on the victim’s environment to download the malware. The binaryData is encoded using RC4; if the exploit is targeting IE, it will be further encoded using zlib inflate method.
binaryData |
Decrypted md5 |
Summary |
1.bin |
fd9d3a5f51053818e38a79ad63292add |
Flash, cve-2015-5119 |
2.bin |
71b488c677490a82e8a9060a6a34bb9a |
Flash, cve-2015-5122 |
3.bin |
abf2c18c6a68e8a70eb069ae7cc4593d |
Angler EK's IE cve-2015-2419 exploit |
4.bin |
575ba6a43945a739583633badee50f7f |
IE, cve-2013-2551 |
5.bin |
41edea8d4e6d187eb0f977b8bec27a98 |
Flash, cve-2014-0569 |
6.bin |
adf2e242611449c8e93f3d849ec6a1cc |
Vbscript, cve-2014-6332 |
7.bin |
0266f91ffde4f00c233c7089dc38162b |
Vbscript, cve-2014-6332 |
Figure 8. Exploits embedded
ADDITIONAL INFORMATION
Further research showed that this malvertising attack led not only to the Neutrino exploit kit, but to the Angler exploit kit, as well. This switching between exploit kits behavior is not new and has been recently documented here.
The following table lists some of the Angler URLs and the respective referrers. Note that all referrers come from the eminetwork.com domain.
Angler URL |
REFERRER |
Angler URL |
REFERRER |
buttetpappaen.dog-collars-usa.com/forums/viewforum.php?f=17&sid=.59t9rd66l86101223y41&
|
/projects/FDPU/?FDPU=FDPU_09_07_15&
|
sjlsagt.callcenterrecovery.com/forums/viewforum.php?f=77e&sid=w59t84495bl5t.8t40y3
|
/projects/FDPU/?FDPU=FDPU_09_01_15_Utah_Fin_Edu&
|
myymnkinatawan.web-homebiz.com/forums/index.php?PHPSESSID=4817a&action=4.5o2p3s103122110w4&
|
/projects/FDPU/?FDPU=FDPU_09_01_15_Utah_Fin_Edu&
|
penpicture-tairaka.joemuscolina.net/forums/index.php?PHPSESSID=95m.&action=93626s9191vzw48pt19493
|
/projects/FDPU/?FDPU=FDPU_09_07_15&
|
tariff1bjerviscottonfactor.communitydentalgroup.com/boards/index.php?PHPSESSID=231&action=p2.t18gr108l43865
|
/projects/FDPU/?FDPU=FDPU_09_01_15_Utah_Fin_Edu&
|
mesententes-abkuessen.dsris.net/forums/search.php?keywords=1n9&fid0=8578.d616x8s36j1
|
/projects/FDPU/?FDPU=FDPU_09_07_15&
|
heupbreuk.conejovalleyhealth.net/civis/index.php?PHPSESSID=18j&action=u6181.591ul99v2
|
/projects/FDPU/?FDPU=FDPU_09_07_15&
|
linkpc.capitalhomealarm.com/boards/viewforum.php?f=9s&sid=4an.841241046j1003d9447pdi8
|
/projects/FDPU/?FDPU=FDPU_09_07_15&
|
neuvostodemokratian.bankrepoautooutlet.com/forums/index.php?PHPSESSID=3e1ij&action=7942.q0el899
|
/projects/FDPU/?FDPU=FDPU_09_07_15&
|
holectypmaneschi.compasspointlaw.com/boards/viewforum.php?f=98yo.&sid=v15166k5yk38884x553
|
/projects/FDPU/?FDPU=FDPU_08_17_15_S_Central_Southern_Educ_Innov
|
Table 2. Referrers from ad content provider, eminetwork.com, leading to Angler exploit kit.
CONCLUSION
Malvertising continues to be an attack vector of choice for criminals making use of exploit kits. By abusing ad platforms – particularly ad platforms that enable Real Time Bidding, which we’ve covered before here – attackers can selectively target where the malicious content gets displayed.
When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk.