Flashpack Exploit Kit Used in Free Ads, Leads to Malware Delivery Mechanism

In the entry FlashPack Exploit Leads to New Family of Malware, we tackled the Flashpack exploit kit and how it uses three URLs namely (http://{malicious domain}/[a-z]{3}[0-9]{10,12}/loxotrap.php, http://{malicious domain}/[0-9,a-z]{6,10}/load0515p6jse9.php, http://{malicious domain}/[a-z]{3}[0-9]{10,12}/ldcigar.php) as its landing site.

We monitored the abovementioned URLs and found out that the FlashPack exploit kit is now using free ads to distribute malware such as ZeuS/ZBOT, DOFOIL, and ransomware variants. This technique of using ad networks for malicious intent is called malvertising.

Based on data from the Trend Micro™ Smart Protection Network™, the North American region has the most number of users who accessed these malicious URLs.

Tables 1-3. Most affected regions per URL

Distributing DOFOIL via Ad Networks

Around the end of August, we observed that the detections for TROJ_DOFOIL (specifically TROJ_DOFOIL.WYTU, TROJ_DOFOIL.WYTV, TROJ_DOFOIL.WYTX, and TROJ_DOFOIL.SM01) took a sudden surge, which peaked last October. This threat is currently active in the wild and is known for its capabilities such as connecting to C&C URLs, dropping files, and detecting sandboxes.

According to the Smart Protection Network, the top region affected by TROJ_DOFOIL is the Asia Pacific region, followed by the North American region.

Table 4. Top regions affected by TROJ_DOFOIL

DOFOIL enters the systems via ad-related networks. When this site is accessed, http://delivery.first-impression.com/delivery?action=serve&ssp_id=26&ssp_wsid=15299&dssp_id=100&domain_id=2755009716&ad_id=748551&margin=0.4, it will redirect to http://edge.bnmla.com/025cdf59ce0c8c30939bd43abfb98c65_rtb.swf, which in turn leads to http://fancygood.eu/yag6655129203/gate.php. The final landing page is http://fancys[.]eu/yag6655129203/loxotrap.php.

Figure 1. TROJ_DOFOIL infection chain via ad networks

The first two URLs are ad-related networks and the landing pages are links related to FlashPack. The final payload leads to a DOFOIL variant detected as TROJ_DOFOIL.WYTU.

The Ransomware Connection

The URL http://{malicious domain}-9,a-z]{6,10}/load0515p6jse9.php, is observed to distribute Cryptowall and other ransomware. Ransomware is known for encrypting files and data. It then asks users for a sum of money or ‘ransom’ in order to retrieve their files.

As seen in the diagram below, the infection chain starts when users access http://adservertrck.com/vinaudit/load0515p6jse9.php, and they get to download files such as obupdat.exe, 261934c.exe, and 261934c.exe (hash: 7FAE34C53A67AB1B5265CB7FF4E132C350E0E07B). Trend Micro detects this as TROJ_CRYPWALL.JL.

Figure 2.  Ransomware is downloaded and executed on the affected systems

The next outstanding question is what would make the browser—in this case, Internet Explorer—go to such a site?  We observed that the URL http://{malicious domain}/[0-9,a-z]{6,10}/load0515p6jse9.php, which points to http://82[.]146[.]33[.]216/07102014/load0515p6jse9.php, does not follow the format of the URL indicated above.

Going through existing submissions, this leads to the file, gate.php, which is a Macromedia Flash file (SWF). A quick analysis on the details within the .SWF file reveals that it redirects the user to the said site, as the software that was used to create it:

Figure 3. First example of the SWF file (6673c1ffb4b0c489871c7f6d189dbcea554fd5b1) that resembles the landing page

Another similar file was seen, this time with the expected URL format:

Figure 4. Second example of the SWF file (db3a0c572bb485a28c390da82ed7a6b4fb21922e) that exactly matches the landing page

Based on our investigation, both files have been developed by software called FlashDevelop, a free and open source code editor capable of coding in ActionScript for SWF files.

These files also utilize the ExternalInterface that enables straightforward communication between ActionScript and the SWF container. For example, an HTML page with JavaScript or a desktop application that use Flash Player to display a SWF file.

What is interesting about these files is that they contain an exploit code that leverages CVE-2014-0515. This CVE covers the zero-day exploit that affected Adobe Flash Player last May.

Now, reflecting back on the URL format, we can say that the URL indicates clues as to when it was released and what it was using:

• http://82[.]146[.]33[.]216/07102014/load0515p6jse9.php
• http://82[.]146[.]33[.]216/[release date]/ load[cve-exploit-number]p6jse9.php

Trend Micro has already detected these SWF files as SWF_EXPLOIT.MJSR. Note that the third URL format (http://some[.]random[.]domain/[a-z]{3}[0-9]{10,12}/ ldcigar.php) also follows the same infection trend of introducing ransomware on the systems.

The Combination of Ad-enabled Free Applications: Risks and Implications

DOFOIL and ransomware connections to ads are a crucial factor in terms of its distribution method. To generate revenue, most free-to-use applications nowadays would offer two versions: the ad-enabled software and, another ad-free software version in order to get rid of the ads. The concept is:

• The user is free to use the application as long as the user can ignore the ads that intermittently display on the interface of the application.
• However, in the event that the user is annoyed by the ads, can opt to purchase a “pro” version which can hide the display of such ads.

This explicitly applies to non-mobile ad-enabled applications, however, the same technique may also be used for Android devices, though a malicious APK would be needed at the end.

In comparison to web-browser related ads, you can close the pop-up window that usually displays for ads and continue with normal browser. Free-to-use applications that come with ads, however, are active as long as the application is running.

Combining ad-enabled free-to-use applications with this attack has very concerning implications, from the regular user to enterprises. In a real-world example, let us take one very popular application like uTorrent.exe that eventually points to ransomware as seen in this infection chain.

Figure 5. uTorrent loads Ransomware

The Evolving Nature of the Threat

Threats that arrived via malvertisements are currently on-going as seen in another ad-enabled application named Camfrog, which points to DOFOIL.

Figure 6. Camfrog loading DOFOIL

However, we observed that the landing URL has now changed as compared to the initial blog entry. It points to the following URLs

• http://{malicious domain}/xs3884y132186/lofla1.php
• http://{malicious domain}/sv62a76d18537/lofla1.php
• http://{malicious domain}/maxek/lofla1.php

It also started off with an initial loader from this URL, http://82[.]146[.]33[.]242/boanewsp/gload.php. It should also be noted that the IP address (82[.]146[.]33[.]242) resolves to MMM5.FVDS.RU. This FQDN also has a DNS record pointing to 82[.]146[.]33[.]216, as seen with the wave of this threat. Furthermore, the random domains have just been registered and created within the last two to three weeks.  Trend Micro already blocks these URLs and has seen them to be very popular near the end of October and the first week of November:

Figure 7. Increasing  number of blocked URLs that are relevant to this threat

Best Practices and Recommendations

Ad-enabled free applications pose a serious threat to users and enterprises as attackers leverage this to distribute threats like Ransomware and DOFOIL. As such, this may lead to system infection and possible information and data theft. End-users are recommended to be cautious with the applications that they install. Similarly, in enterprise setting, employees should  be educated on what kind of application can be installed on their desktops.  If possible, create IT policies (like Acceptable Usage Policies) that could be drafted by their internal governing bodies, such as their InfoSec department.

Aside from this, the combination of ensuring that third party applications like Flash and Java that loaded is by Web browsers is something to note for end-user to enterprise users alike. If possible, use security software with web filtering functionalities that has the capability to block malware-related and ad-related sites.

We are continuously monitoring this threat and others that use similar tactics. We protect users via the Smart Protection Network has web reputation technology and file reputation services that blocks all related URLs and detects this malware.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Flashpack Exploit Kit Used in Free Ads, Leads to Malware Delivery Mechanism

Read more: Flashpack Exploit Kit Used in Free Ads, Leads to Malware Delivery Mechanism