# The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK

**Most online ads are displayed as a result of a chain of trust, from the publishers to the malicious**
**advertiser via ad agencies and/or ad networks.**

**For “traffers” (that is, actors bringing traffic to a malicious destination; for example, exploit kits) that rely�**
**on malvertising, one of the goals is to gain access to a high-profile ad network such as DoubleClick,�**
**Bing Ads, AdTech or AppNexus. A reputable, high-profile ad network provides traffers with access to�**
**higher-quality traffic, and the more reputable an ad network appears, the easier it is for traffers to reach�**
**this target traffic.�**

**Uncovering domain shadowing**

**In early November, one of those high-profile ad agencies appeared in Proofpoint sensors as “referrer”�**
**to Angler exploit kit. Further investigation by Proofpoint researchers determined that the creative in**
**question (ad banners) was pointing to content from https://ads.mikeholt[.]com and landing at**
**www.mikeholt[.]com.".**

**_Figure 1 Creative served by the abused ad agency (click to enlarge)_**


-----

**_Figure 2 A fake online ad for an authentic Website, displayed using a shadowed domain of that Website_**

**A disparity in the SSL certificate used by both servers is the first hint that something is suspicious about�**
**this ad.**

**_Figure 3 Shadowed domain SSL certificate vs legitimate site owner's domain SSL certificate�_**

**Comparison of the SSL certificates for two domains is a clue that this could be a case of “domain�**
**shadowing” [3].**

**Domain shadowing is a technique for generating malicious subdomains from a legitimate domain,**
**typically using stolen registration credentials for the domain owner. With the stolen credentials, the**
**threat actor can create a large number of fraudulent subdomains (for example, ads.mikeholt[.]com)**
**below the legitimate domain mikeholt[.]com. (The domain owners for these examples were contacted**


-----

**and redirection actions that pull in their preferred exploit kit.**

**Multiple parallel campaigns**

**Further investigation identified other campaigns employing other compromised domains and abused ad�**
**agencies. For example:**

**adv.mtcharlestonlodge[.]com**

**_Figure 4: Example of ad with stolen creative linking to malicious domain_**


-----

**media.healthy-homemakers[.]com**

**promo.loopnetworksllc[.]com**

**An exploit kit out of nowhere**

**Researchers who have the opportunity to replay this attack in a controlled environment will not be able**
**to see much without SSL man-in-the-middle capabilities (Fig 6); instead the attack will appear to be**
**Angler EK materializing ‘out of thin air’.**

**_Figure 6: Traffic captured on the 2015-11-21 without MITM capabilities�_**

**A look in the SSL tunnel**

**One of the reasons that malvertising is appealing to threat actors is that the ad agency / network itself**
**performs a significant portion of the targeting including geo browser and other options However the�**


-----

**_Figure 7: Harmless code served by the server if the client does not match the filtering options or if the�_**
**_campaign is on hold_**

**When a targeted client visits a site served by the infected content delivery network (CDN), the attack**
**follows these steps:**

**1. Send a post to filter proxied traffic.�**
**2. A global JavaScript reads the results of the filtering;�**
**3. If the reply is as expected, decode a bogus GIF (Fig. 8).**
**4. Check the system using two information disclosure bugs in Microsoft Internet Explorer to avoid**

**researchers, sandboxes and some security products.**
**5. Abuse an HTTPS open redirect by DoubleClick. [2]**
**6. Land the browser on Angler EK without a referrer.**


-----

**_Figure 8: Malicious code sent by the fake ad server, including fake GIF image file�_**

**Decoding the fake GIF produces a JavaScript function (Fig. 9).**


-----

**_Figure 9: Encoded JavaScript function inside a "GIF"_**

**Client filtering�**

**The decoded JavaScript function leverages two information disclosure bugs in Internet Explorer in**
**order to filtering potential victims. (Fig. 10)�**


-----

**_Figure 10: Decoded fake GIF showing redirect and additional filtering�_**

**In order, these checks are:**

**A variation of a technique used by Magnitude and Angler EKs and is used to filter the client by�**
**certain security products.**
**A MimeType check in order to filter certain shellex associations, including .py, .pcap and .saz�**
**(Fig. 10).**

**Both of these bugs were reported to Microsoft in May.**

**All replay attempts of this threat revealed fileless Angler EK [4] [5] threads loading Bedep in memory.�**
**The Bedep in action is "buildId" 1926. Over the course of November, Proofpoint researchers have**
**observed this Bedep version loading a variety of malware payloads including Fileless Ursnif [4],**
**Ramnit, Blowcrypt, some Vawtrak campaigns 13 and 60 [7], and most recently Reactor Bot.**

**Conclusion**


-----

**however, threat actors are also evolving their techniques, using more sophisticated attack chains that**
**make it more difficult for even diligent ad agencies and ad network operators to detect malvertising in�**
**their ad streams. These adaptations will enable malvertising to remain an effective malware distribution**
**method for months to come.**

**References**

**[[1] https://en.wikipedia.org/wiki/Online_advertising](https://en.wikipedia.org/wiki/Online_advertising)**

**[[2] http://malware.dontneedcoffee.com/2015/10/a-doubleclick-https-open-redirect-used.html](http://malware.dontneedcoffee.com/2015/10/a-doubleclick-https-open-redirect-used.html)**

**[[3] http://blogs.cisco.com/security/talos/angler-domain-shadowing](http://blogs.cisco.com/security/talos/angler-domain-shadowing)**

**[[4] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html�](http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html)**

**[[5] https://hiddencodes.wordpress.com/2014/10/01/digging-deep-into-angler-fileless-exploit-delivery-2/�](https://hiddencodes.wordpress.com/2014/10/01/digging-deep-into-angler-fileless-exploit-delivery-2/)**

**[[6] http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html�](http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html)**

**[[7] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows](https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows)**

**Indicators of Compromise (IOC’s)**

**Shadowed**
**ads.mikeholt[.]com** **209.126.110.7**
**domain**

**Shadowed**
**adv.mtcharlestonlodge[.]com** **209.126.118.13**
**domain**

**Shadowed**
**media.healthy-homemakers[.]com** **209.126.118.11**
**domain**

**Shadowed**
**promo.loopnetworksllc[.]com** **209.126.118.18**
**domain**

**Shadowed**
**delivery.dpis[.]com** **209.126.118.18**
**domain**

**Shadowed**
**promo.socialmagnetmarketing[.]com** **209.126.118.14**
**domain**
**POS Reco “Fileless” Ursnif** **c1bc86552e558cc37ee7df3a16ef8ac7 2015-11-22**
**Ramnit** **2839b5e418adc25b0d3a2b9bd04efb992015-11-21**

**Blocrypt** **d37994ac8bb0df034d942c10ae4710942015-11-07**
**Vawtrak 13** **2408e9df8cb82e575002176a4dcd69a52015-11-15**
**Vawtrak 60** **d3670b3a2bba2ff92f2e7cbfc63be941** **2015-11-21**
**Reactor Bot** **b37717d09b61cbfe5c023e8d5fd968ed 2015-11-23**
**ninthclub[.]com** **81.177.22.179** **Vawtrak C&C**
**atlasbeta[.]com** **176.9.188.147** **Vawtrak C&C**
**alutqlyzoxglge7s[.]com** **95.211.205.229** **Bedep Domain**

**browneyandrebun[.]net** **107.170.83.113** **Ursnif C&C**
**zwietrzyla1morinaga.efloridacoupons[.]com�** **8.26.21.113** **Angler EK**
**cloud75[.].eu** **51.255.59.117** **Reactor Bot C&C**

**_ET signatures:_**

|ads.mikeholt[.]com|209.126.110.7|Shadowed domain|
|---|---|---|
|adv.mtcharlestonlodge[.]com|209.126.118.13|Shadowed domain|
|media.healthy-homemakers[.]com|209.126.118.11|Shadowed domain|
|promo.loopnetworksllc[.]com|209.126.118.18|Shadowed domain|
|delivery.dpis[.]com|209.126.118.18|Shadowed domain|
|promo.socialmagnetmarketing[.]com|209.126.118.14|Shadowed domain|
|POS Reco “Fileless” Ursnif|c1bc86552e558cc37ee7df3a16ef8ac7|2015-11-22|
|Ramnit|2839b5e418adc25b0d3a2b9bd04efb99|2015-11-21|
|Blocrypt|d37994ac8bb0df034d942c10ae471094|2015-11-07|
|Vawtrak 13|2408e9df8cb82e575002176a4dcd69a5|2015-11-15|
|Vawtrak 60|d3670b3a2bba2ff92f2e7cbfc63be941|2015-11-21|
|Reactor Bot|b37717d09b61cbfe5c023e8d5fd968ed|2015-11-23|
|ninthclub[.]com|81.177.22.179|Vawtrak C&C|
|atlasbeta[.]com|176.9.188.147|Vawtrak C&C|
|alutqlyzoxglge7s[.]com|95.211.205.229|Bedep Domain|
|browneyandrebun[.]net|107.170.83.113|Ursnif C&C|
|zwietrzyla1morinaga.efloridacoupons[.]com�|8.26.21.113|Angler EK|
|cloud75[.].eu|51.255.59.117|Reactor Bot C&C|


-----

**2019678 || ET TROJAN Ursnif Checkin**

**2019400 || ET TROJAN Possible Bedep Connectivity Check**

**2021418 || ET TROJAN Bedep HTTP POST CnC Beacon**

**2022141 || ET CURRENT_EVENTS Angler encrypted payload Nov 23**

**2811284 || ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit M2**

**2814948 || ETPRO CURRENT_EVENTS Possible EK Redir SSL Cert**

**2815003 || ETPRO CURRENT_EVENTS Angler EK Landing Nov 18 2015**

**2815071 || ETPRO CURRENT_EVENTS Possible Angler EK Payload Nov 23 2015**

**2814630 || ETPRO CURRENT_EVENTS Possible Angler EK IE DHE Post M2**

**2807957 || ETPRO TROJAN Win32/TrojanDownloader.Blocrypt Checkin**

**2814112 || ETPRO TROJAN Vawtrak HTTP CnC Beacon**

**2813060 || ETPRO TROJAN Vawtrak Retrieving Module**

**Tuesday, December 15, 2015 - 11:15**

**Malvertising** **Angler EK** **Domain shadowing**

**Proofpoint Staff**

## Related Links

**[Press Releases >](https://www.proofpoint.com/us/news/press-releases)**
**[Proofpoint in the News >](https://www.proofpoint.com/us/news/in-the-news)**
**[Proofpoint Blog >](https://www.proofpoint.com/us/news/blog)**
**[Threat Insights blog >](https://www.proofpoint.com/us/threat-insight)**
**[Events >](https://www.proofpoint.com/us/events)**
**[Media Contacts >](https://www.proofpoint.com/us/contact-us)**

### ADD NEW COMMENT

**Your name**


-----

**Comment ***

**[原始原始[碼][碼]](javascript:void('???'))**

**格式格式**

**[Switch to plain text editor](javascript:void(0);)**

**More information about text formats**

**Text format**

**Filtered HTML**

**<ol> <u> <a> <p> <br /> <img>**

**Save** **Preview**

### PRODUCTS

**Enterprise Protection**

**Threat Response**

**Targeted Attack Protection**

**Social Media Security**

**Malvertising Protection**

**Privacy, DLP and Encryption**

**Archive**

**Governance**


**[原始原始[碼][碼]](javascript:void('???'))**

**格式格式**


**More information about text formats**

**Text format**

**Filtered HTML**

**Allowed HTML tags: <em> <strong> <cite> <blockquote> <s> <sub> <sup> <i> <b> <li> <ul>**
**<ol> <u> <a> <p> <br /> <img>**


**Save**


**BACK TO TOP**


**More information about text formats**

**Text format**

**Filtered HTML**

**Allowed HTML tags: <em> <strong> <cite> <blockquote> <s> <sub> <sup> <i> <b> <li> <ul>**
**<ol> <u> <a> <p> <br /> <img>**


-----

**Sentrion Sendmail**

**TAP Mobile Defense**

## REGIONS

**United States**

**United Kingdom**

**France**

**Germany**

**Spain**

**Japan**

**Taiwan**

**Australia**


**PARTNER LOG-IN**


**[SENDMAIL SUPPORT LOG-IN](https://www.sendmail.com/cfusion/CFIDE/smi/support/)**


**[SUPPORT LOG-IN](https://support.proofpoint.com/)**


**© 2015 PROOFPOINT, INC.**

**PRIVACY POLICY**


-----