At the Fox-IT SOC we see malvertising incidents on a daily basis, as blogged on before. Sadly malvertising has become a usual occurence, but the events we’ve been observing since Thursday the 11th of June stood out. An active malvertising campaign propagating via 2 major advertisement networks is targeting visitors only coming from the Netherlands, using the Angler Exploit Kit.
Currently the popular Dutch news website Telegraaf[.]nl is, indirectly, causing the most victims.
Details
Since Friday we’ve seen the following two advertisement providers serving traffic from a specific third party:
- AppNexus
- Rubicon
The specific advertisements from these two networks were loaded for (at least) the following websites:
- telegraaf.nl
- theguardian.co.uk
- huffingtonpost.com
- lemonde.fr
The third party responsible for the malicious redirects to the Angler Exploit Kit is known as otsmarketing[.]com and is located at 107[.]181[.]187[.]81. When this page is loaded a short-link of Google’s service goo.gl is used for redirection. Due to the fact that this short-link service operates under HTTPS it will lose the referrer chain from the advertiser towards the exploit kit.
Because the otsmarketing[.]com domain is currently the chain connecting the advertisers with the exploit kit, we advice blocking the IP address at this time. Keep in mind however that these criminals will surely change this tactic as soon as its noticed. We have tried to contact the people behind otsmarketing[.]com but were not successful in doing so. We’re also doubting the legitimacy of this company as we didn’t see it being loaded via advertisements until Thursday last week, the first day we’ve seen this malvertising campaign in action.
Update 16-06-2015: After coordinating with the advertisers the malicious host was blocked and removed from their advertisement platforms.
Indicators of Compromise
The following IP and domain should be blocked in order to avoid the current campaign:
- otsmarketing[.]com / 107[.]181[.]187[.]81
The Angler Exploit kit typically installs the Bedep Trojan, which installs additional malware. Bedep can typically be found by looking at consecutive POST requests to the following two websites:
- earthtools.org/timezone/0/0
- ecb.europa.eu/stats/eurofxref/eurofxref-hist-90d.xml
We have yet to identify the final payload.
Yonathan Klijnsma & Maarten van Dantzig, Threat Intelligence Analysts at Fox-IT