{"id":6449,"date":"2017-01-31T11:11:05","date_gmt":"2017-01-31T19:11:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/31\/news-286\/"},"modified":"2017-01-31T11:11:05","modified_gmt":"2017-01-31T19:11:05","slug":"news-286","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/31\/news-286\/","title":{"rendered":"A look back at the Zyns iframer campaign"},"content":{"rendered":"

We often get asked\u00a0about drive-by download attacks, how they work, and specifically about what sites people may have visited just prior\u00a0to getting infected. This is an interesting aspect when tracking campaigns and what they lead to.<\/p>\n

Typically, one can divide the drive-by landscape into two categories: malvertising and compromised websites. The former involves legitimate websites that rely on advertising as their source of revenue. Crooks have long been able to insert themselves into the ad delivery chain in order to push malicious code such that the simple fact of viewing a page with ads actually infects your computer. The latter is made of websites that have been hacked and injected with malicious code and are also used to redirect users to malicious content.<\/p>\n

What we refer to as “campaigns” are specific attributes from the same threat actor or group similar to what is used to categorize malware families.\u00a0There are many different campaigns for both streams, some come and go while others stick around for long periods of time. For instance, EItest<\/a>\u00a0is one particular campaign for compromised\u00a0sites which has been going on for years<\/a>.<\/p>\n

Campaigns are an essential part of the underground\u00a0ecosystem because they continuously feed potential new victims into the infection funnel which ultimately translates into revenues for online criminals.<\/p>\n

Today we are\u00a0taking a look at an iframe campaign (Zyns iframer<\/strong><\/em>) that has been going on since at least 2014. There are specific indicators of compromise (IOCs<\/a>)\u00a0that haven’t really changed over time and the underlying structure has also remained pretty similar. We have seen this attack chain primarily associated with malvertising, and in particular via adult sites. During its course, we noted\u00a0several different exploit kits being pushed by this campaign (Angler EK, Nuclear Pack, Neutrino EK, RIG EK).<\/p>\n

Patterns (IOCs)<\/h3>\n

The redirection infrastructure had very distinct patterns and also shared many of the same server IP addresses over time. We also saw the evolution from dynamic DNS (via sub domains) to domains on dubious top-level domains (TLDs<\/a>).<\/p>\n

URL patterns:<\/p>\n

\/out.php?sid=1  \/out.php?sid=3  \/link.php  \/linkx.php<\/pre>\n
Server headers:<\/p>\n
HTTP\/1.1 200 OK  Server: Apache\/2.2.22 (@RELEASE@)  X-Powered-By: PHP\/5.3.3<\/pre>\n
Redirection URL:<\/p>\n
<iframe src=\"[EK URL HERE]\" width=\"468\" height=\"60\"   style=\"position:absolute;left:-10000px;\"><\/iframe><\/pre>\n
First spotted,\u00a02014<\/h3>\n
Our\u00a0earliest records\u00a0are from the fall of\u00a02014 with malvertising attacks mostly affecting Russian users. A capture from later that year shows a drive-by download from blogspot.ru<\/em> via JetSwap, an “Active Promotion System!” where\u00a0members and advertisers are linked together via an affiliate program. In this particular case, the advert loads a\u00a0malicious iframe to qera.zyns.com<\/em>\u00a0which performs a 302 redirect to another domain qzertyu.myz.info<\/em>\u00a0and in turn redirects to the Angler exploit kit.<\/p>\n
\"2014_overview\"<\/a><\/p>\n
Payload: SmokeLoader<\/a>.<\/p>\n
2014-2015 transition<\/h3>\n
The campaign kept going as 2015 rolled in with an almost identical structure. Note the addition of ‘link.php’ to the domain in charge of loading iframes to EK. Angler wasn’t the only exploit kit used by these actors. For example we see Nuclear Pack below:<\/p>\n
\"2014__2015\"<\/a><\/p>\n
Payloads: Bedep<\/a>\u00a0(2nd Bedep<\/a>), Troldesh.<\/a><\/p>\n
Sucuri Labs post<\/a> shows another\u00a0.wha.la domain involved in redirect:<\/p>\n
176.122.88.120\u00a0<\/strong>kophon.wha.la\/out.php?sid=1<\/pre>\n
A piece of code containing the same iframe redirection structure was posted<\/a> in May 2015\u00a0to an online PHP editor. It shows a distinct URL pattern for the RIG exploit kit (RIG EK version 3).<\/p>\n
\"\"<\/a><\/p>\n
2016<\/h3>\n
2016 was an interesting year for exploit kits with the disappearance of Angler EK in June. The capture shown below is one of the latest artifacts we have from Angler EK before it went missing.<\/p>\n
\"june\"<\/a><\/p>\n
Payload: JuicyLemon<\/a> (ransomware).<\/p>\n
As we know,\u00a0criminals transitioned to Neutrino EK after Angler EK went down. During the next few months, up until sometime in September there was a mix of both Neutrino EK and RIG EK used by the actors behind this campaign. Below, Neutrino EK in July:<\/p>\n
\"neutrino\"<\/p>\n
The campaign was spotted in late June by Malekal (link<\/a>) via malvertising on adult sites (with Gootkit mentioned as the payload).<\/p>\n
Malware Traffic Analysis wrote a blog entry shortly after (link<\/a>):<\/p>\n
93.36.35.39 port 80 - glamgirltube.tk<\/b> - GET \/engine\/classes\/js\/jquery.js - file with injected script  193.36.35.39 port 80 - fijir0.tk<\/b> - GET \/linkx.php - gate  46.30.46.40 port 80 - jy.neutralarbitrations.com<\/b> - RIG EK<\/pre>\n
and in July Broad Analysis did too (link<\/a>):<\/p>\n
193.36.35.39 \u2013 relaxtube.tk<\/strong> \u2013 GET \/engine\/classes\/js\/jquery.js \u2013 Rig EK REDIRECT<\/strong>  193.36.35.39 \u2013 waferako.cf<\/strong> \u2013 GET \/linkx.php \u2013 Rig EK REDIRECT<\/strong>  46.30.46.128 \u2013 ds.pacificbeachcar.com<\/strong> \u2013 Rig EK LANDING PAGE<\/strong><\/pre>\n
RIG EK (also known as RIG Standard), seen in September:<\/p>\n
\"rig_\"<\/a><\/p>\n
Payload: Vawtrak<\/a>.<\/p>\n
In early December, we noticed a slight change with a new domain used as a redirector. At the same time, there were several instances where two different RIG EKs were pushed from the same redirection chain, leading to two different malware payloads.<\/p>\n
\"\"<\/a><\/p>\n
Payloads: Gootkit<\/a>, \u00a0Moker<\/a>.<\/p>\n
2017<\/h3>\n
In January we started seeing the same redirector\u00a0that had been pushing this campaign switch to\u00a0a different chain, this time via compromised sites. This was interesting because throughout December, we were\u00a0seeing the usual sequence of events with the standard iframe, even though this chain came via a different sid (sid 3<\/em>) than the typical sid 1<\/em>.<\/p>\n
December 2016 (with sid=3<\/em>)<\/p>\n
\"\"<\/p>\n
Payload: Gootkit<\/a>.<\/p>\n
Come January and we have a completely new pattern where an iframe is now inserted via a double chain of events, most notably malicious code injection that looked new to me within a WordPress plugin called Contact Form 7.<\/p>\n
January 2017 (also with sid=3<\/em>)<\/p>\n
\"\"<\/a><\/p>\n
Payload: Gootkit<\/a>.<\/p>\n
The end of the road?<\/h3>\n
In January, several different trails we were tracking began to disappear, showing that the Zyns iframer\u00a0campaign was likely evolving or got merged into something else. The diversity of payloads and exploit kits may indicate there was no particular tie with any\u00a0specific malware distributor.<\/p>\n
Threat actors will buy traffic from various sources to push malware, with malvertising often being the top choice for its wide impact. This particular case is a mix of malvertising and bogus adult websites aimed at driving a lot of users into exploit kit landing pages.<\/p>\n
To protect yourself against drive-by download attacks, the first thing to do is to\u00a0ensure that your computer is fully up-to-date. Use Malwarebytes<\/a> to stay\u00a0safe\u00a0from malicious websites and thwart exploits (known and unknown) before they launch their payload.<\/p>\n
Thanks to @hasherezade<\/a> for help with payload identification!<\/em><\/p>\n
IOCs<\/h3>\n
Dec 2014<\/em><\/p>\n