Researchers have detected a malvertising campaign running on a pair of sites owned by Huffington Post that is using ads distributed through an AOL ad network. The attack is sending victims through a series of redirects that eventually brings them to a landing page that is running an exploit kit.
The campaign emerged first on huffingtonpost.ca on Dec. 31 and researchers from security firm Cyphort soon found it on the main Huffington Post site in the United States as well. The researchers discovered that the campaign originates with ads being served by AOL’s Advertising.com network and once a user clicked on a malicious ad, she was redirected through a number of hops–some using HTTPS–until she hit a landing page. That page contained an exploit kit that was serving both Flash and VB script exploits.
The landing pages appear to be compromised Polish sites.
“Interestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted,” the Cyphort analysis of the attack says. AOL has taken steps to shut down the campaign.
“It appears that this group has compromised and/or has access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites (nysa.pl, klodzko.pl, etc).”
The malvertising campaign extended to a number of other sites beyond the Huffington Post domains, the researchers said, and the exploit kit used in the attack appears to be the Neutrino kit. The infection begins with a Javascript attack and then the code decrypts an HTML file and a VB script file. The HTML file is loaded in an iframe, the researchers said, and exploits an old vulnerability, the CVE-2013-2551 use-after-free flaw in Internet Explorer. The VB script then downloads a malicious executable.
“The purpose of this attack is to install a malicious binary – a new variant of a Trojan, from the Kovter family. (SHA1: eec439cb201d12d7befe5482e8a36eeb52206d6f). The malware was downloaded from indus.qgettingrinchwithebooks.babia-gora.pl:8080 , it was a un-encrypted binary. After execution it connects to a16-kite.pw for CNC. It executes through injecting its payload to a spawned svchost.exe process,” the researchers say.
Cyphort’s researchers got in touch with the abuse team at AOL and they attack stopped soon after.
“We have escalated this issue to AOL security team (advertising.com infection). They are investigating. We have not talked to Huffington Post or dozens of other infected websites, yet. Shortly after we notified AOL , the attack has discontinued,” Nick Bilogorskiy, a Cyphort researcher, said in a statement.
Image from Flickr photos of Stuart Rankin.