{"id":7060,"date":"2017-03-21T08:10:06","date_gmt":"2017-03-21T16:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/21\/news-851\/"},"modified":"2017-03-21T08:10:06","modified_gmt":"2017-03-21T16:10:06","slug":"news-851","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/21\/news-851\/","title":{"rendered":"Canada and the U.K. hit by Ramnit Trojan in new malvertising campaign"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 21 Mar 2017 15:48:54 +0000<\/strong><\/p>\n

Over\u00a0the last few days we have observed an\u00a0increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each).\u00a0Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users\u00a0to the RIG exploit kit.<\/p>\n

This particular campaign abuses the ExoClick ad network (ExoClick was informed and took action to stop the fraudulent advertiser based on our reports) and, according to our telemetry, primarily targets Canada and the U.K.. The ultimate payloads we collected during this time period\u00a0were all the\u00a0Ramnit information stealer (banking, FTP credentials, etc.) which despite\u00a0a takedown in 2015<\/a>\u00a0has rebounded and is quite active again.<\/p>\n

Pop-under ads and TDS<\/h4>\n

Pop-under ads are usually triggered when a\u00a0user clicks on an item on the site they are browsing. In this particular example, clicking on one of the category thumbnails launches the pop-under window behind\u00a0the main page.<\/p>\n

\"\"Figure1: Pop-under advert fires up\u00a0RIG EK (blocked by Malwarebytes)<\/em>
<\/a><\/p>\n

The first stage redirection includes a link\u00a0to tds.tuberl.com<\/em><\/strong> within two different JavaScript snippets. This Traffic Distribution System (TDS) mostly loads benign adult portals\/offers\u00a0via ExoClick. The actual malvertising incident takes place next with a 302 redirect to a malicious TDS this time, which performs some geolocation fingerprinting and checks the upper referer before loading the RIG exploit kit.<\/p>\n

Traffic overview:<\/h4>\n

\"\"<\/em><\/a>
<\/em><\/a>Figure 2: Web traffic showing redirection chain to RIG EK from see.xxx<\/em><\/a>
<\/a><\/p>\n

 <\/p>\n

Redirection chain:<\/h4>\n

\"\"<\/a>
<\/a>Figure 3: TDS redirection based on the user’s geolocation<\/em><\/a><\/p>\n

We noted the same attack pattern with several other adult portals using the malicious TDS mentioned above to load RIG EK:<\/p>\n

\"\"
<\/em><\/a>Figure 4:\u00a0Web traffic showing redirection chain to RIG EK from justporno.tv<\/em><\/a>
<\/a><\/p>\n

Ramnit going after Canada and the U.K.<\/h4>\n

The payloads we collected via our honeypot were all the Ramnit Trojan, which is interesting considering the traffic flow from\u00a0the TDS (Canada, U.K. being the most hits recorded in our telemetry). A\u00a0report<\/a> from IBM security researcher\u00a0Limor Kessem in December\u00a02015 indicated that Canada was the top target with 55% of all Ramnit activity. A follow up report<\/a> from the same researcher in August 2016 showed a new wave of attacks directed this time at the U.K.<\/p>\n

We informed ExoClick and they have been able to locate and terminate the rogue advertiser. Malwarebytes users were already\u00a0protected against this distribution campaign and the Ramnit Trojan.<\/p>\n

IOCs<\/h4>\n

Malware hashes:<\/p>\n

53ba545c599a66a148e590b11e9cdc0d49141b03d9f870fcd52593f39bcd690d  845824afa87c0eccf25b09cbf57fbe2ab9e356b6cdbac220271e9c4e732bb174  3feb4c5198cd00361dc5631334288f9ba6a25b3d35028b0cd10f453525ff1c9e  c72e3c5120e948599a2f6f215a7ef53f71763ce16303782872bab9cf5599610a  be3705cf0964cebe7084439f502ae4d40fc063693be44fbe54fe7a9f8ae180df  228af3aa07a2c37badf83cdd552710434601d8f3abf60df8d8264cdf3f694d70  <\/pre>\n
RIG EK domains:<\/p>\n
set.designervintagejewelry.com  cxz.suttonsite.com  rew.lafontant.services  new.serviceslafontant.ca  act.opencomputinginstitute.com  free.learntoridemotorcycle.com  rew.dietingplan.org  gfd.dealsboy.in  admin.sellsettlement.org  act.loseyourweightnaturally.com  acc.buycellulitetreatments.com  art.joecornellweddings.com  see.chairblue.com  list.werledlighting.com  never.alexagift.com  see.aliharperweddings.com  see.clicklinkto.info  free.nutrangnu.com  all.woodfurnituregarden.com  top.villabluesteps.com  act.obamapower.com  new.4u-insurance.com  art.carondeletevents.com  add.cmlib.org  far.clickbankidol.com  rew.terrigenesis.com  line.bermudaweddings.net  rec.goldenknightsfan.com  try.sjtri.com  add.lvgoldenknightsfan.com  free.cmlib.info  act.twoocomms.com  <\/pre>\n
RIG EK IPs:<\/p>\n
188.225.38.209  188.225.38.186  188.225.38.164  188.225.38.131  5.200.52.240<\/pre>\n
The post Canada and the U.K. hit by Ramnit Trojan in new malvertising campaign<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 21 Mar 2017 15:48:54 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
This new malvertising campaign on adult websites was pushing the Ramnit information stealer.<\/p>\n
Categories: <\/p>\n