June 10, 2015

Large Malvertising Campaign Leads to Angler EK & Bunitu Malware

Nicholas Griffin Security Researcher

<p>Websense&reg; Security Labs&trade; researchers have been monitoring a mass scale malvertising campaign that leads to&nbsp;<a href=http://blog.websense.com/security-labs/angler-exploit-kit-%E2%80%93-oper... target="_blank">Angler Exploit Kit</a>. The attack has affected users browsing to many popular sites, including CNN Indonesia, the official website of Prague Airport, Detik, AASTOCKS, RTL Television Croatia, and the Bejewled Blitz game on Facebook. According to<a href="http://www.similarweb.com/" target="_blank"> SimilarWeb</a>, these sites have a combined total of at least 50 million visitors per month.</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/yqngbrt.png" style="height:479px; width:966px" /></p>

<p><em>Image 1. Heatmap of geographical locations affected by this malvertizing campaign in May 2015</em></p>

<p>The following are some of the key features of this campaign:</p>

<li>&nbsp;Revive Adserver scripts are injected with code</li>


<li>&nbsp;The injected code is evasive&nbsp;and stealthy</li>


<li>&nbsp;Angler Exploit Kit infects the victim&#39;s machine with malware</li>


<li>&nbsp;The Bunitu trojan has been used</li>


<li>&nbsp;At least 50 million users per month are at risk

<p>Websense customers are protected against this threat via real-time&nbsp;analytics with ACE,&nbsp;the Websense&nbsp;<a href="http://www.websense.com/content/websense-advanced-classification-engine.... rel="nofollow" target="_blank">Advanced Classification Engine</a>, at the different&nbsp;<a href="http://www.websense.com/content/seven-stages-recon.aspx?cmpid=slbl" rel="nofollow" target="_blank">stages</a>&nbsp;of the attack detailed below:&nbsp;</p>

<li>Stage 2 (Lure) &ndash; ACE has protection against websites injected with malicious content.</li>
<li>Stage 3 (Redirect)&nbsp;&ndash;&nbsp;ACE has protection against known redirects associated with this campaign.</li>
<li>Stage 4 (Exploit Kit) &ndash; ACE has protection against the Angler Exploit Kit and exploit delivery content via real-time analytics.</li>
<li>Stage 5 (Dropper) &ndash; ACE has protection against known Bunitu samples.</li>
<li>Stage 6 (Call Home) &ndash; ACE has detection for command and control infrastructure known to be associated with Bunitu.&nbsp;</li>

<h3>What is Revive Adserver?</h3>

<p>Revive Adserver is an open source advertising technology formerly known as OpenX Source. It allows businesses to host and manage their own advertising services rather than relying on third party services, and it is common for multiple websites to use the same Revive Adserver script.</p>

<p>We have seen compromised Revive Adserver scripts used in malvertising&nbsp;<a href="http://blogs.websense.com/security-labs/dissecting-cleartripcom-website-... target="_blank">in the past</a>, and seemingly this continues to be a target of interest for cybercriminals.</p>

<p><strong>Note</strong>: To clarify, OpenX (www.openx.com) is an enterprise software company which in 2013 sold OpenX Source to Revive Adserver. Revive Adserver (www.revive-adserver.com) built a new open source project on the original OpenX Source. Neither OpenX (the company) nor Revive Adserver currently support OpenX Source software, but many instances of OpenX Source are still in use and vulnerable to this malvertising exploit.</p>

<h3>Angler Exploit Kit Strikes Again</h3>

<p>The code injected into the compromised Revive Adserver scripts in this campaign have been seen to lead to the very prevalent Angler Exploit Kit.&nbsp;The injected code is not always sent when the script is requested, making it difficult to detect with automated analysis tools. In addition, Angler Exploit Kit will only serve up the malicious exploit code once per IP in a 24 hour period or so.</p>

<p>Since April we have seen compromised Revive Adserver scripts being used by several highly popular websites, including CNN Indonesia, Detik, Prague Airport, AASTOCKS, RTL Television Croatia, and the official Bejewled Blitz game on Facebook. Some of these only seem to contain the injected code for 24 hours, whilst others have remained compromised for weeks. Recently, we saw an interesting infection chain from the popular Croatian website&nbsp;<em>Forum[.]hr</em>&nbsp;(Alexa 15 in Croatia) which has been using a compromised Revive Adserver script from third-party advertiser&nbsp;<em>ads3.monitor[.]hr</em></p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/7sm5jqt.png" style="height:670px; width:1003px" /></p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/w2mmvo9.png" style="height:427px; width:1106px" /></p>

<p><em>Image 2, 3 &amp; 4.&nbsp;</em><em>A compromised advertizing script on&nbsp;ads3.monitor[.]hr&nbsp;displays a legitimate advert whilst malicious code executes in the background</em></p>

<p>The injected code led to a redirect, and then to Angler Exploit Kit which exploited the latest Adobe Flash Player vulnerability (CVE-2015-3090). Recently the exploit kit has been distributing CryptoWall 3.0, Bedep and Necurs but we saw a different payload, a trojan known as &#39;Bunitu&#39;.</p>

<h3>Bunitu Malware Turns Your Machine into a Zombie</h3>

<p>The Bunitu malware dropped by Angler caused our infected machine to act as a proxy, in theory allowing our computer&#39;s network connection to be used for subsequent malicious activity. Cybercriminals often use this tactic in order to hide their tracks from authorities, behind legitimate users&#39; machines. The SHA1 for the sample we saw is&nbsp;<em>004e9a3ea2670a76ee90067ff29816c31908e552</em>.</p>

<p>Bunitu drops and loads a DLL within its own process which opens two random ports on the infected machine for a SOCKS5 proxy and an HTTP proxy, and in our case these were ports 8322 &amp; 56100 respectively. It contains a hard-coded call home/command-and-control IP of&nbsp;<em>85.17.142[.]21:53</em>&nbsp;which it tries to contact twice in order to report our infection and which ports it has opened on our machine:</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/zi84cmm.png" style="height:317px; width:1141px" /></p>

<p><em>Image 5. Bunitu calling home and reporting an infection, along with which proxy ports are opened on the infected machine</em></p>

<p>The malware also has back-up infrastructure in case the hard-coded call home server is not available. It attempts to resolve&nbsp;<em>nsb.quixjoumnf[.]com</em>, resulting in an IP of&nbsp;<em>110.201.214[.]114</em>. The hexadecimal value of this IP address is represented in memory as 0x72D6C96E, and Bunitu then XORs this value against a hard-coded value of 0x16EC1A31, resulting in 0x643AD35F. This final value is the hexadecimal representation of another IP,&nbsp;<em>95.211.58[.]100</em>&nbsp;which is used as a call home by Bunitu after the initial two attempts to the hard-coded server. This routine can be seen in the following image:</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/ftj4ufi.png" style="height:596px; width:1013px" /></p>

<p><em>Image 6. Bunitu XOR routine for resolving IP addresses</em></p>

<p>There are also two more back-up addresses that Bunitu can resolve if&nbsp;<em>nsb.quixjoumnf[.]com</em>&nbsp;does not resolve; here is a representation of how the call home infrastructure is determined:</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/xjbgorj.png" style="height:86px; width:812px" /></p>

<p>Bunitu regularly sends heartbeats to its C&amp;C so that it can be determined which machines are currently active and infected.</p>


<p>Advertising networks continue to be a point of focus for cybercriminals, opening up avenues to infect millions of users with minimal effort. The growing nature of evasion, stealth, and variation employed in the malicious code means that it&#39;s more important now than ever to deploy a security solution capable of stopping threats at multiple points in the&nbsp;<a href="http://www.websense.com/content/seven-stages-recon.aspx?cmpid=slbl" target="_blank">7 stages kill chain</a>.</p>


<p>Indicators of compromise can be found below.</p>

<p><strong>Payloads (SHA1)</strong></p>

<p>SWF Exploit: <em>feb33f3a3ac53203697d2b04ddbefa038b199a21</em></p>

<p>Bunitu EXE:&nbsp; <em>004e9a3ea2670a76ee90067ff29816c31908e552</em></p>

<p>Bunitu DLL:&nbsp; <em>fc512fc9ad3501aecf8fab06d2c76447879520d0</em></p>









About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.