The list of the websites infected in this campaign:
The summary of the events:
1. Huffingtonpost.com was hosting an ad from an AOL ad-network [adtech.de]
2. The ad redirected through multiple hops, including an SSL redirect.
3. The landing page served an exploit kit – likely Sweet Orange.
4. The exploit kit downloaded a Kovter Trojan executable.
This Kovter variant is only slightly different from the one we detailed in the January 16’s blog. The differences are:
The Kovter binary MD5: 624a3017d321e39a871b51f596ef5c2c
RC4 Key: “8047e6e4f3aef994e0f84d46000col
We observed 2 exploits in this Sweet Orange kit :
- CVE-2013-2551 – Use-after-free vulnerability in Microsoft Internet Explorer
- CVE-2014-6332 – Windows OLE Automation Array vulnerability in Internet Explorer
Again attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. This time the HTTPS redirector was hosted on Microsoft Azure.
The whole infection chain for huffingtonpost.com was:
|5||http||multiple .PL redirects|
Adtech.de advertising platform is owned by AOL, we have notified AOL abuse and security team.
Apart from AOL’s adtech.de we have also seen two other advertising networks involved in this campaign:
- adxpansion.com, which we covered in May 2014 – Porn to P0wn you through Adxpansion Ad network.
This malvertising campaign is still active with the latter two advertising networks. We have not seen adtech.de infections since February 2.
Cyphort Labs is monitoring this malvertising campaign and will share more results as soon as they become available. Special thanks to McEnroe Navaraj, Alex Burt and the Cyphort Labs team for their help in the discovery and analysis.