The list of the websites infected in this campaign:

  • www.huffingtonpost.com 
  • www.laweekly.com
  • www.indiedb.com 
  • www.dramago.com 
  • www.animetoon.tv 
  • www.spoilertv.com 
  • www.sbcodez.com

The summary of the events:

1.  Huffingtonpost.com was hosting an ad from an AOL ad-network [adtech.de]
2. The ad redirected through multiple hops, including an SSL redirect.
3. The landing page served an exploit kit – likely Sweet Orange.
4. The exploit kit downloaded a Kovter Trojan executable.

This Kovter variant is only slightly different from the one we detailed in the January 16’s blog.  The differences are:

The Kovter binary MD5: 624a3017d321e39a871b51f596ef5c2c

CNC Servers:

  • b12-luxe.ru/12/download.php
  • 195.238.181.17/12/index.php
  • http://91.212.124.167/12/main.php

RC4 Key: “8047e6e4f3aef994e0f84d46000col12″

We observed 2 exploits in this Sweet Orange kit :

  • CVE-2013-2551 – Use-after-free vulnerability in Microsoft Internet Explorer
  • CVE-2014-6332 – Windows OLE Automation Array vulnerability in Internet Explorer

Again attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack.  This time the HTTPS redirector was hosted on Microsoft Azure.

azure1

 

The whole infection chain for huffingtonpost.com was:

1   http www.huffingtonpost.com
2   http adserver.adtech.de
3   https checkmyip.azurewebsites.net 
4   http goodwebbynetwork.com
5   http multiple .PL redirects

 

Adtech.de advertising platform is owned by AOL, we have notified AOL abuse and security team.

Apart from AOL’s adtech.de we have also seen two other advertising networks involved in this campaign:

This malvertising campaign is still active with the latter two advertising networks. We have not seen adtech.de infections since February 2.  

 Cyphort Labs is monitoring this malvertising campaign and will share more results as soon as they become available. Special thanks to McEnroe Navaraj, Alex Burt and the Cyphort Labs team for their help in the discovery and analysis.