On Dec 31, 2014 Cyphort Labs detected an infection at the Canadian website of HuffingtonPost – www.huffingtonpost.ca.  On January 3, 2015 we have also confirmed HuffingtonPost.com is similarly infected. Huffington Post is a news aggregator and blog site with more than 51 million monthly visitors. Cyphort Labs has reported uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding the emerging trend.  We believe that this trend presents a significant cybersecurity challenge in 2015.  Web site owners should ask questions about their malvertising protection before signing up with ads syndication networks.  More importantly, web site owners should deploy infection monitoring and detection solutions to protect their site visitors from malware infection.

The following analysis should help further increase the awareness and understanding on malvertising threats.



Infection Details

Here is the summary of the events:

1.  huffingtonpost.ca was hosting an ad from an AOL ad-network [advertising.com]

2. The ad redirected through multiple hops

3. The landing page served an exploit kit. 

4. The Exploit kit served a Flash exploit  and a VB script

5. The script downloaded a Kovter Trojan executable to %temp%

The culprit was malvertising served from advertising.com. Over the past several days we have seen many other sites that contained ads from advertising.com and redirected visitors to malware, including:

  • www.huffingtonpost.com
  • www.mandatory.com
  • www.laweekly.com
  • www.gooddrama.net
  • www.fhm.com
  • www.thewmurchannel.com
  • www.buzzlie.com
  • www.mojosavings.com
  • www.houstonpress.com
  • www.soapcentral.com
  • www.theindychannel.com
  • www.gamezone.com
  • www.weatherbug.com

Interestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted. The whole infection chain for huffingtonpost.ca is:

http www.huffingtonpost.ca
http o.aolcdn.com
http atwola.com
http tacoda.net
http advertising.com
https nomadic-proton-777.appspot.com [Google App Engine]
http foxbusness.com
http multiple .PL redirects
http howto.sxcubelabs.nysa.pl:8080/phppgadmin/


The whole infection chain for huffingtonpost.com is:

http www.huffingtonpost.com
http o.aolcdn.com
http atwola.com
http tacoda.net
http advertising.com
https nomadic-proton-777.appspot.com [Google App Engine]
http foxbusness.com
http warszawa.pl [Polish capital website]
http schoo.kuppicu.opoczno.pl:8080/books


It appears that this group has compromised and/or has access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites (nysa.pl, klodzko.pl, etc). This is similar to the Youtube Ads attack that our friends at TrendMicro blogged about in October.

 In addition to “advertising.com” Advertising Network we have also seen “adtech.de” redirecting to these infected Polish sites. In the case of “adtech”, the redirectors were: “imp-check.appspot.com” (Google) and svcollege.net. Both of these platforms (adtech.de and advertising.com) are owned by AOL. AOL Platforms has 199 Million unique visitors per month. It reaches 88.8% of the U.S. Internet Audience. We have notified AOL abuse and security team and they confirmed they are currently investigating this.



Cyphort Labs suspects the exploit kit used was NeutrinoEK, but also saw similarity between this one and Sweet Orange kit (http://malware-traffic-analysis.net/2014/11/18/index.html)  . 

The infection starts with javascript that does the following: 

1. It decrypts (base64 algorithm) an html file and a Visual Basic script file.
2. The decrypted html file (which exploits CVE-2013-2551)  is loaded as an iframe.
3. VB script downloads and executes the malicious executable (Kovter).
4. Both HTML & VB script seem to be communicating only with http://howto.sxcubelabs.nysa.pl:8080/include.php which is down.

Here is the decrypted VB script. The VB script code is exploiting CVE-2014-6332 (Windows OLE Automation Array Remote Code Execution Vulnerability).  A POC was posted at exploit-db last November (http://www.exploit-db.com/exploits/35230/).


 The purpose of this attack is to install a malicious binary – a new variant of a Trojan, from the Kovter family. (SHA1: eec439cb201d12d7befe5482e8a36eeb52206d6f). The malware was downloaded from indus.qgettingrinchwithebooks.babia-gora.pl:8080 , it was a un-encrypted binary. After execution it connects to a16-kite.pw for CNC.  It executes through injecting its payload to a spawned svchost.exe process. 

Below is a screenshot of the Behavior Details of this malware when Cyphort  Advanced Threat Defense Platform detected it.



Cyphort Labs is monitoring this malvertising campaign closely.  We will share more results as soon as they become available. Special thanks to Alex Burt and the Cyphort Labs team for their help in the discovery and analysis.