Attackers Target Porn Site Goers in ‘Malsmoke’ Zloader Attack

malvertising campaign

A fake Java update found on various porn sites actually downloads the well-known Zloader malware.

Cybercriminals are tricking adult website visitors – including sites such as bravoporn[.]com and xhamster[.]com – in malvertising attacks that redirect victims to malicious websites serving up malware.

The campaign, which is part of a larger malvertising effort dubbed “malsmoke”, has been tracked throughout 2020. The most recent efforts, researchers say, indicate a shift in strategy by the attackers – moving away from pushing victims to sites hosting exploit kits to popping up fake Java updates.

The past tactic included adversaries redirecting site visitors to a website that would then deliver an exploit kit delivery chain (dropper, dowloader and malware). However, starting in mid-October, attackers updated their exploit kits with a twist. Researchers explain, a fake Java update was introduced, said researchers. When victims click on this “update,” it ultimately downloads Zloader, a banking malware designed to steal credentials and other private information from users of targeted financial institutions.

“While we thought the threat actor had gone silent, they simply changed tactics in order to further grow their operations,” said researchers with Malwarebytes in a Monday analysis. “Instead of targeting a small fraction of visitors to adult sites that were still running Internet Explorer, they’ve now extended their reach to all browsers.”

When clicking to play an adult video clip, a new browser window pops up with what looks a grainy video. In the background what’s happening is that after victims click to play the adult video click, they are redirected to various malicious pages, such as landingmonster[.]online until they land on a “decoy” porn site (pornguru[.]online/B87F22462FDB2928564CED). The movies plays for a few seconds – with audio – until suddenly an overlay message tells users that the “Java Plug-in 8.0 was not found.”

malvertising

Malvertising campaign. Credit: Malwarebytes

Researchers said, the movie file is a 28-second MPEG-4 clip that has been rendered with a pixelated view on purpose. It is meant to let users believe they need to download a missing piece of software even though this will not help in any way at all, they said.

“The threat actors could have designed this fake plugin update in any shape or form,”  said researchers. “The choice of Java is a bit odd, though, considering it is not typically associated with video streaming. However, those who click and download the so-called update may not be aware of that, and that’s really all that matters.”

From there, the attackers developed their own utility to download a remote payload. The fake Java update (called JavaPlug-in.msi) is a digitally signed Microsoft installer, which contains a number of libraries and executables. Researchers said many of these are legitimate.

An executable (lic_service.exe) is installed, which then loads HelperDll.dll. which is the most important module responsible for deploying the final payload. This module uses the curl library present in the MSI archive, to then download an encrypted payload (from moviehunters[.]site).

That final payload is Zloader, which injects itself into a new msiexec.exe process to contact its command and control (C2) server using a Domain Generation Algorithm (DGA). After identifying a domain that responds, the malware starts downloading additional modules

Evolving Malsmoke Attack

The malsmoke campaign, first revealed by researchers in September, derives its name from Smoke Loader, the most frequent payload utilized via the Fallout exploit kit. Initially researchers observed the campaign utilizing exploit kits; in late August, for instance, a Fallout exploit kit campaign was observed distributing the Raccoon Stealer via high-traffic adult sites. Shortly after researchers reported that attack to the ad network, the same threat actor came back again using the RIG exploit kit instead.

“While we see a number of malvertising chains, the majority of them come from low quality traffic and shady ad networks,” said researchers. “Malsmoke goes for high traffic adult portals, hoping to yield the maximum number of infections. For example, malsmoke has been present on xhamster[.]com, a site with 974 million monthly visits, on and off for months.”

While the attackers have switched up their tactics to utilize fake Java updates instead of exploit kits, researchers say that they continue to abuse high-traffic adult portals and can be tied back to the Traffic Stars ad network. Researchers warn that this campaign will continue with new and evolving tactics.

“In the absence of high value software vulnerabilities and exploits, social engineering is an excellent option as it is cost effective and reliable,” said researchers. “As far as web threats go, such schemes are here to stay for the foreseeable future.”

2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and PatchingHackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles