Large Number of Adult Sites Distribute Malware Via AdXpansion Malvertising

Posted on

While malvertising activity on adult sites has been ‘relatively’ quiet for some time, we started picking up dozens of attacks on moderately popular XXX portals, where moderate still means millions of daily visitors.

The modus operandi is quite straightforward and facilitated by a compromised Flash advert directly hosted and served by AdXpansion, an adult ad network, which triggers a hidden Flash exploit loaded from a seemingly innocent XML file. This technique has been used before in other self-sufficient Flash ad/exploit attacks.

This malvertising campaign has been running since at least Nov 21 and is affecting hundreds of adults sites. As soon as the rogue Flash advert is displayed in the browser (no click on it is required) it will attempt to load the exploit code.

Notable sites that were affected include:

  • drtuber.com (55.3 M)
  • nuvid.com (41.9 M)
  • eroprofile.com (14M)
  • iceporn.com (6.9M)
  • xbabe.com (4.2M)

Monthly traffic in millions, according to SimilarWeb.

The malicious advert:

MBAE

Malwarebytes Anti-Exploit blocks the malicious advert when it attempts to load the remote exploit shell code.

Technical details

An attack on drtuber.com:

Fiddler

The Flash exploit (CVE-2015-7645) resides inside of the second XML file loaded from malenkiyprince.website.

Same attack on iceporn.com distributes two different payloads at once:

Fiddler_iceporn

The decoded Flash exploit:

ByteArray

We informed AdXpansion but have not received any response so far.

IOCs:

Malicious advert:

  • media.hw.adxpansion.com/20151020133155/037ca5bba3dbe2a84632ebb9f7f98fdc.swf
  • MD5: 037ca5bba3dbe2a84632ebb9f7f98fdc

Flash exploit:

  • malenkiyprince.website/XFdjcl42RmNnXVZRc1wGGAY.xml
  • MD5: f2145598b40e0b0506e6cb4b15513efd
  • Decoded SWF MD5: 146d4f6d149c1b0613e1be3f3a777eab

Malware payloads:

  • drtuber.com payload: 4bee00fbaede53b7b83192867717289c
  • iceporn.com payload (1/2): f502ecb0e450df366fb110d102f34ce0
  • iceporn.com payload (2/2): 3f7f1b51bdaccd3931ff78c154bda0b8

Source:https://blog.malwarebytes.org

Leave a comment