{"id":8399,"date":"2017-07-20T10:10:02","date_gmt":"2017-07-20T18:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/20\/news-2173\/"},"modified":"2017-07-20T10:10:02","modified_gmt":"2017-07-20T18:10:02","slug":"news-2173","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/20\/news-2173\/","title":{"rendered":"Terror EK actor experiments with URL shortener fraud"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 19 Jul 2017 21:25:39 +0000<\/strong><\/p>\n

Terror EK is\u00a0an exploit kit made from a mishmash\u00a0of stolen code and with very limited distribution. In the past few months, we have seen a few minor updates to its code base which remains largely simplistic in comparison to professional-grade exploit kits of the past such as Angler EK<\/a>, or modern-day Astrum EK<\/a>.<\/p>\n

We recently observed activity from one actor that appears to be doing some experiments with the toolkit. This post\u00a0takes a look at a malvertising chain that leads to Terror EK in which\u00a0the\u00a0individual had set up his own redirect\u00a0and bogus fraud page.<\/p>\n

Campaign<\/h3>\n

This particular infection flow started with\u00a0malvertising related to\u00a0adult and file sharing traffic. The final redirection to the exploit landing page was handled via a bogus site acting as a direct referrer to Terror EK.<\/p>\n

\"\"<\/a><\/p>\n

Exploit Kit<\/h3>\n

As mentioned by Cisco Talos<\/a>, Terror EK collects some information about the user such as plugins that are installed, and their version which it then\u00a0sends back to its server. Compared to earlier versions of Terror EK that loaded multiple Flash files at once, it now uses\u00a0a single one that targets Flash Player up to version 20.0.0.228.<\/p>\n

\"\"<\/a><\/p>\n

Payload<\/h3>\n

This campaign dropped the Neurevt bot which downloaded a secondary payload\u00a0shortly after.\u00a0The malware’s purpose is to cycle through\u00a0a predefined list of URLs and open up a new\u00a0browser window to the next\u00a0URL every 90 seconds. This list is\u00a0maintained via a simple user interface hosted on the same IP address\u00a0as the initial redirector to the exploit kit. This makes us think that the threat actor is managing his small own operation from end to end.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

All these URLs are AdFly shortened links for fake remedies spam. AdFly typically\u00a0pays you a small amount of money\u00a0each time a new user clicks your\u00a0link and visits the final URL. The way this business model works is by showing ads for a few seconds before allowing you to visit the URL you were looking for.<\/p>\n

While the malware was running in our sandbox, one of such ads pushed a tech support scam:<\/p>\n

\"\"<\/a><\/p>\n

However, using this piece of malware to generate revenue via AdFly seems like a pretty inefficient method. Indeed, AdFly will very quickly detect the suspicious activity when those links are visited from the same computer\u00a0at short intervals.<\/p>\n

\"\"<\/a><\/p>\n

Upon notification, AdFly terminated all the fraudulent shortened links.<\/p>\n

Mitigation<\/h3>\n

Like other exploit kits, Terror EK relies on software vulnerabilities that have already been patched. The distribution we have witnessed so far has mostly been via malvertising but on a small scale.<\/p>\n

Malwarebytes blocks Terror EK’s exploits and associated malicious traffic.<\/p>\n

Indicators of compromise (IOCs):<\/h3>\n

Terror EK<\/p>\n

188.226.159 .188\/e71cac9dd645d92189c49e2b30ec627a\/22ba13789663b77e4a7d9e849f42041f  188.226.159 .188\/22ba13789663b77e4a7d9e849f42041f\/683909\/595c2c275d50e  188.226.159 .188\/uploads\/ufj.swf  188.226.159 .188\/d\/22ba13789663b77e4a7d9e849f42041f\/?q=r4&r=3cd3ad4d7992a73038ad37c07e219138&e=cve20150313<\/pre>\n
Malware drop<\/p>\n
404108a0066f6df22bfb4abcec849c214eed089c69b115f5300a2ac631863b1a<\/p>\n
The post Terror EK actor experiments with URL shortener fraud<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 19 Jul 2017 21:25:39 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
We catch up with a small player in the exploit kit scene.<\/p>\n
Categories: <\/p>\n