Go Back   SZONE.US Forums > Do it yourself (DIY) > Web Tips > Web Findings

Web Findings Here you will find information about the internet.

Large Malvertising Campaign Leads to Angler EK & Bunitu Malware

Thread Tools Search this Thread Rate Thread
Unread 06.10.15, 06:01 AM
Zachariah Boren's Avatar
Zachariah Boren Zachariah Boren is offline
Join Date: 02.07
Location: Canoga Park, CA
Posts: 928
Blog Entries: 6
Images: 10075
Send a message via ICQ to Zachariah Boren Send a message via MSN to Zachariah Boren Send a message via twitter to Zachariah Boren
Large Malvertising Campaign Leads to Angler EK & Bunitu Malware

06.09.15 06:00 PM

Websense® Security Labs™ researchers have been monitoring a mass scale malvertising campaign that leads to Angler Exploit Kit. The attack has affected users browsing to many popular sites, including CNN Indonesia, the official website of Prague Airport, Detik, AASTOCKS, RTL Television Croatia, and the Bejewled Blitz game on Facebook. According to SimilarWeb, these sites have a combined total of at least 50 million visitors per month.

Image 1. Heatmap of geographical locations affected by this malvertizing campaign in May 2015

The following are some of the key features of this campaign:

  • OpenX advertising scripts are injected with code

  • The injected code is evasive and stealthy

  • Angler Exploit Kit infects the victim's machine with malware

  • The Bunitu trojan has been used

  • At least 50 million users per month are at risk

Websense customers are protected against this threat via real-time analytics with ACE, the Websense Advanced Classification Engine, at the different stages of the attack detailed below:

  • Stage 2 (Lure) – ACE has protection against websites injected with malicious content.
  • Stage 3 (Redirect) – ACE has protection against known redirects associated with this campaign.
  • Stage 4 (Exploit Kit) – ACE has protection against the Angler Exploit Kit and exploit delivery content via real-time analytics.
  • Stage 5 (Dropper) – ACE has protection against known Bunitu samples.
  • Stage 6 (Call Home) – ACE has detection for command and control infrastructure known to be associated with Bunitu.

What is OpenX?

OpenX is an advertising platform used by many websites for customized advertising, and implementations of OpenX are often shared between multiple sites often belonging to the same company, or due to the use of a third party advertiser using OpenX technology. The OpenX network is extremely popular, seeing more than 100 billion impressions per month, and when these scripts are compromised and injected with malicious code, millions of users on multiple websites can be immediately affected. This makes OpenX scripts a big target for cybercriminals looking to maximize their surface area of potential victims.

We have seen compromised OpenX scripts used in malvertising in the past, and seemingly this continues to be a target of interest for cybercriminals.

Angler Exploit Kit Strikes Again

The code injected into the compromised OpenX scripts in this campaign have been seen to lead to the very prevalent Angler Exploit Kit. The injected code is not always sent when the script is requested, making it difficult to detect with automated analysis tools. In addition, Angler Exploit Kit will only serve up the malicious exploit code once per IP in a 24 hour period or so.

Since April we have seen compromised OpenX scripts being used by several highly popular websites, including CNN Indonesia, Detik, Prague Airport, AASTOCKS, RTL Television Croatia, and the official Bejewled Blitz game on Facebook. Some of these only seem to contain the injected code for 24 hours, whilst others have remained compromised for weeks. Recently, we saw an interesting infection chain from the popular Croatian website Forum[.]hr (Alexa 15 in Croatia) which has been using a compromised OpenX script from third-party advertiser ads3.monitor[.]hr

Image 2, 3 & 4. A compromised advertizing script on ads3.monitor[.]hr displays a legitimate advert whilst malicious code executes in the background

The injected code led to a redirect, and then to Angler Exploit Kit which exploited the latest Adobe Flash Player vulnerability (CVE-2015-3090). Recently the exploit kit has been distributing CryptoWall 3.0, Bedep and Necurs but we saw a different payload, a trojan known as 'Bunitu'.

Bunitu Malware Turns Your Machine into a Zombie

The Bunitu malware dropped by Angler caused our infected machine to act as a proxy, in theory allowing our computer's network connection to be used for subsequent malicious activity. Cybercriminals often use this tactic in order to hide their tracks from authorities, behind legitimate users' machines. The SHA1 for the sample we saw is 004e9a3ea2670a76ee90067ff29816c31908e552.

Bunitu drops and loads a DLL within its own process which opens two random ports on the infected machine for a SOCKS5 proxy and an HTTP proxy, and in our case these were ports 8322 & 56100 respectively. It contains a hard-coded call home/command-and-control IP of 85.17.142[.]21:53 which it tries to contact twice in order to report our infection and which ports it has opened on our machine:

Image 5. Bunitu calling home and reporting an infection, along with which proxy ports are opened on the infected machine

The malware also has back-up infrastructure in case the hard-coded call home server is not available. It attempts to resolve nsb.quixjoumnf[.]com, resulting in an IP of 110.201.214[.]114. The hexadecimal value of this IP address is represented in memory as 0x72D6C96E, and Bunitu then XORs this value against a hard-coded value of 0x16EC1A31, resulting in 0x643AD35F. This final value is the hexadecimal representation of another IP, 95.211.58[.]100 which is used as a call home by Bunitu after the initial two attempts to the hard-coded server. This routine can be seen in the following image:

Image 6. Bunitu XOR routine for resolving IP addresses

There are also two more back-up addresses that Bunitu can resolve if nsb.quixjoumnf[.]com does not resolve; here is a representation of how the call home infrastructure is determined:

Bunitu regularly sends heartbeats to its C&C so that it can be determined which machines are currently active and infected.


Advertising networks continue to be a point of focus for cybercriminals, opening up avenues to infect millions of users with minimal effort. The growing nature of evasion, stealth, and variation employed in the malicious code means that it's more important now than ever to deploy a security solution capable of stopping threats at multiple points in the 7 stages kill chain.


Indicators of compromise can be found below.

Payloads (SHA1)

SWF Exploit: feb33f3a3ac53203697d2b04ddbefa038b199a21

Bunitu EXE: 004e9a3ea2670a76ee90067ff29816c31908e552

Bunitu DLL: fc512fc9ad3501aecf8fab06d2c76447879520d0









Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:

All times are GMT -8. The time now is 09:08 AM.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright 2007 - 20017 SZONE.US All rights reserved