An malvertising campaign with an unusually expansive reach was targeting potentially millions of users in the U.S., Europe, Asia Pacific and the Middle East, infecting victims with ransomware before researchers at Cisco's Talos division took steps to shut down the operation this past month.
Active for at least the month of August, the campaign relied on malware-tainted ads to route certain users through an intermediary “gate” – a server that by itself does not appear malicious – that would in turn send them to a landing page hosting the Neutrino Exploit Kit. In this instance, the redirect was automatic – victims did not have to first click on the ad.
Using a gate “allows the adversary to quickly change the actual malicious server without having to change the initial redirection… enabling a longer exploit kit campaign without having to constantly modify the site or ad that starts the infection chain,” Talos explains in a blog post.
If the exploit kit server determined the user's machine had Flash installed, it would then drop a malicious Flash file containing multiple exploits, ultimately resulting in a CrypMIC ransomware payload. Users did not even see the Neutrino EK landing page when they were taken there because it was designed to render off-screen, several feet above and to the left of any visible monitor space.
Dubbed ShadowGate due to its reliance on domain shadowing techniques, the campaign hosted its activity on malicious subdomains of legitimate websites that the perpetrators secretly created, mostly likely by compromising these websites' accounts with their domain registrar, GoDaddy. “The owners of those domain accounts don't even realize most of the time” that these malicious subdomains exist, said Earl Carter, threat researcher with Talos, in an interview with SCMagazine.com.
During the campaign takedown process, Talos partnered with GoDaddy to remove the offending domains. A second campaign followed shortly thereafter, placing malicious ads on primarily European and Israeli websites, until that one was struck down as well.
Through its analysis of SSL traffic, Talos was able to determine that the perpetrators sneaked malicious ads onto legitimate websites by compromising ad streams with malicious iframes (HTML documents embedded within other HTML documents) that redirected recipients to the aforementioned gates. Indeed, Talos found web pages where every single ad had an iframe in it, generating multiple redirect attempts at once.
Most of the sites hosting the ads were using Revive or OpenX Enterprise ad servers, Talos reported in its blog. Sites featuring the ads included Chinese IT websites, a New Zealand-based retail news site, a Saudi Arabian soccer team site, a major U.S. university's website and a Polish forum for bike enthusiasts. There weren't discriminating with locations; they were targeting people across the globe,” said Carter, who noted that the malware distributors even took care to use ads featuring the native language of each region being targeted.