Ransomware campaign spread via ad networks and zero-day vulnerabilities

File-less campaign targeted dozens of sites by winning a bidding war for ads

serverskulls header
Credit: Jen Anderson

Researchers from Invincea have been tracking a Ransomware campaign out of Russia, which started by using file-less infections, but moved to zero-day vulnerabilities in Adobe's Flash Player, as the vector was proven more effective.

On New Year's Eve, researchers spotted Ransomware spreading from an advertising network that managed ad groups on a number of highly trafficked websites, each one with click-bait headlines that were drawing a good deal of attention. The malware, Kovter, was being delivered by an exploit kit, but that was only half the story.

They later discovered Russian criminals using a real-time ad-bidding network to deliver Ransomware to victims without using a single file, as the code was extracted from system memory.

Interestingly, the Ransomware checks for virtual machines or other protected environments, and if detected, it simply doesn't work. Otherwise, the system is encrypted within minutes and the victim is left with a ransom demand.

The ad-network was targeted by the criminals around the time news of the Charlie Hedbo tragedy hit the Internet.

Visitors to the Huffington Post website, as well as Russia Today (RT.com) were all impacted by this campaign. In addition, other popular articles on CBSSports.com and NJ.com were also targeted by the group.

When Adobe's Flash Player was tagged with not one, but three different zero-day vulnerabilities, the criminals managing the Ransomware campaign moved from the file-less delivery to the more common file-based delivery.

ransomware scam cycle Invincea

Invincea outlined the campaign's process in five steps, starting with the registration of a burner domain that has a DNS setting of 8 hours. After that, the domain is pointed to a landing page for the malware (exploit delivery / payload), but limited to approved (screened by browser / software or non-VM) visitors.

Once the back end is established, the third step is to bid on ads that will trigger redirection from the legitimate site to the burner domain. After eight hours, the burner domain is abandoned, and the process is repeated.

The entire attack – called Fessleak by Invincea - can be scripted and the burner domains only last as long as it takes to update proxy lists or black lists. The forward momentum shown by the criminals in this instance makes detecting and blocking such attacks increasingly difficult – if not impossible.

"It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it," Invincea said in a post on the topic.

Earlier this morning, Salted Hash reported on one expert's opinion that Ransomware wasn't a major threat. Instead, he viewed it more as an annoyance.

"Ransomware is just one vector of attack targeting our accounts and user communities, and quite honestly somewhat low on the threat list. While it’s annoying to have a single machine’s data lost, it only hints at the actions malicious actors can take once they’re on our system, and only touches on one vector, email," said David Swift, chief architect for threat intelligence and behavioral analytics firm Securonix, in a statement to Salted Hash.

"The number of client side attacks on browsers, anti-virus, Adobe, Java, and the common well know client applications are endless and relentless, and once the host is compromised, the data can be harvested and used in any number of nefarious ways is even more alarming."

Invincea's research proves otherwise.

Since December 2014, the following list shows just some of the domains that have been used to spread Ransomware:

Liucianne.com
HuffingtonPost.com
Photobucket.com
DNSrsearch.com
RT.com
Answers.com
CBSSports.com
HowtoGeek.com
Fark.com
Inquisitr.com
Viewmixed.com
Thesaurus.com
Dictionary.reference.com
TecheBlog.com
Cleveland.com
NJ.com
JPost.com
Earthlink.net
MotherJones.com
PJMedia.com
News.com.au
Realtor.com
Cinemablend.com
PopularMechanics.com
Mapquest.com
TheBlaze.com

Update:

Dailymotion, which Invincea lists as an example in their Ransomware report, has issued a statement.

While the entertainment portal wasn't referenced in any of the attack stats seen by SaltedHash (which is why they are not listed above), they were named in the report itself, so their comments are added for the record.

"Dailymotion wishes to reiterate that none of its users have been affected by a recent Flash vulnerability in its advertising platforms. Dailymotion monitors the quality of ads delivered on its website through the robust technology of its advertising partners, as well as through partnerships with specialized third-party services. These partners control the overall quality of ads and in particular, the possible presence of malicious software by screening each advertising campaign and creatives that run on all of Dailymotion's platforms."

When asked to explain why they listed Dailymotion, Invincea noted that Trend Micro reported them as a being part of the Ransomware campaign earlier this week. This is why their name appeared in the previously referenced blog post.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.