Malvertising, HuffingtonPost was serving Malware via AOL Ad-Network

Security company Cyphort has discovered a malvertising campaign that targeted several websites via AOL Ad-Network, including the Huffington Post.

Security experts at Cyphort firm discovered a new malvertising campaign that hit numerous websites, including the Huffington Post and LA Weekly. The attackers exploited the AOL ad network to run the malicious campaign, Cyphort detected the attacks for the first time on Dec. 31 against the Canadian version of Huffington Post (huffingtonpost.ca), then on Huffingtonpost.com on Jan. 3. Cyphort notified AOL of the alarming discovery and the attacks stopped on Jan. 5.websites including Huffington Post and LA Weekly. The attackers exploited the AOL ad network to run the malicious campaign, Cyphort detected the attacks for the first time on Dec. 31 against the Canadian version of Huffington Post (huffingtonpost.ca), then on Huffingtonpost.com on Jan. 3. Cyphort notified AOL of the alarming discovery and the attacks stopped on Jan. 5.huffingtonpost.ca), then on Huffingtonpost.com on Jan. 3. Cyphort notified AOL of the alarming discovery and the attacks stopped on Jan. 5.

“In this case all the malicious ads came via advertising networks that belong to AOL,” said Nick Bilogorskiy, director of security research at Cyphort. “We don’t know exactly how it got there. When we consulted our logs we… [saw] the issue started in late October. So, one possibility is that AOL itself has been breached. Another possibility is that attackers are submitting the malicious ads and have AOL approving these ads for use in the ad network.”

According to details provided by Cyphort on the infection, the ad redirected users through multiple hops. The landing page served an exploit kit which uses a Flash exploit  and a VB script that downloads the Kovter Trojan executable to %temp%.

The researchers suspect that the exploit kit served by the cyber criminals could be the Neutrino kit or the Sweet Orange kit.

The experts at Cyphort considered parliculary interesting the use of HTTPs and HTTPS to masquerade the servers used by the attackers, which adopted a specific HTTPS redirector hosted on a Google App Engine page.

“Interestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted.” states a blog post published by Cyphort.

In addition to the advertising.com advertising network, the attackers have also used the “adtech.de” platform, both serviceservice

http	www.huffingtonpost.ca
http	o.aolcdn.com
http	atwola.com
http	tacoda.net
http	advertising.com
https	nomadic-proton-777.appspot.com [Google App Engine]
http	foxbusness.com
http	multiple .PL redirects
http	howto.sxcubelabs.nysa.pl:8080/phppgadmin/

Different malicious scripts were executed with different ads from advertising.com.

“When user opens [the] Huffington Post web site, several scripts are executed from the advertising network to show ads. One of these scripts loads an external function through HTTPS from Google AppSpot, and this function loads another redirect through HTTPS. And only then the user receives redirects to malware payload. It makes it harder to analyze the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.” said Bilogorskiy. 

The experts at Cyphort speculate that the hacking crew behind the attack has compromised several .pl domains in Poland, and it used related sub-domains to redirect the traffic.

“The ad networks get millions of ads submitted to them and any one of those could be malvertising,” Bilogorskiy said. “They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly.”

“The attackers are accustomed to tricking the networks by making “armored” malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless,” he continued. “For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and IP addresses also is a common strategy to hide from analysts and automated malware detection.  The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection.”

Malversting campaigns rely on compromised machines, to mitigate the threat it is recommended the website administrators to carefully inspect their platforms searching for malicious code or evidence of any suspicious activity (i.e. Traffic redirection).

Pierluigi Paganini

(Security Affairs –  AOL, Malversting campaign)