Adware Empire – IronSource and InstallCore

Adware Empire – IronSource and InstallCore

In a recent Adware campaign using malicious Bing ads led me to a Chrome Download that eventually deploys Adware to the user’s computer. The IPs and types of Adware connect back to IronSource Ltd, Babylon Software Ltd., and InstallCore – all Israeli companies that have connections to Adware. See here, and here.

(Note: This was reported heavily by the media ZDNet, OnMSFT, Inquirer, Alphr  in recent days. My discovery of the malicious ads is  independent of any other source. My list of 3,500 IronSource Hostnames is exclusive as is all of the IP research behind the Adware.)

At this time there appears to be a publisher that’s steering users to a network of sites that deliver a payload of Adware. Please note that I have only made tangential connections between said publisher and these aforementioned companies. Various IP addresses and analysis of the Adware point to IronSource as the controlling entity of the servers that the Adware is communicating with after it’s delivered. That’s not to say that IronSource necessarily aware that a publisher (pay-per-install) is redirecting visitors to sites that impersonate Google Chrome.

The process began by searching Bing.com for ‘Download Chrome‘. An ad at the top of the page looks like a legitimate Chrome advertisement and has an ‘Ad’ marker clearly visible but is poisoned as it leads to a false Google Chrome domain.

Notice how the ad below says “Chrome is a fast,secure” browser and is missing a space.

 

A fake chrome website ‘googleonline2018.com‘ is presented to the user when they click the top ad:

 

 

Clicking ‘Download Chrome‘ leads the user to a URL:

files.drivedowns.com/direct/?cod=24620&name=GoogleChrome
🍪
302 Redirect
Which leads to another URL with the payload:
www.tasetofeni.com/y94jg5t/ChromeSetup.exe 
SHA1:a61c027efb9c0ea3448ef584302c987af508a07d8347c20e8f373d847034ba7c

^^ File above on Virustotal (1/70) is only detected by BitDefender. Here’s the JoeSandBox Malware Analysis. Malware type delivered is DealAgent which is considered Adware.

We discovered a number of different Adware families being delivered from the hosts this file communicated with including Amonetize, BitVote Miner, Babylon Toolbar, InstallCore, Strictor, Dealply, InstallMiez (MacOS), OpenCandy, Optimizer Pro, SProtector, Crepreote, AdvancedMacCleaner, Vittalia, OpinionSpy, Spynion, and Adware going by many other names across all of the IPs involved. There was also a prevalence of MacOS unwanted programs and Adware communicating to these hosts similarly to Command & Control infrastructure in Malware. (JoeSandBox Malware Analysis)

A video below shows the full sequence of events:

We’ve compiled a video of the event and screenshots to walk thru the process of encountering the Adware. In our video, the Antivirus BitDefender blocks the attack, and it was the only of 70 other engines that detected it on VirusTotal. See JoeSandBox full analysis.

Deeper Investigation

***Update#1 Check out this list of 3,500 IronSource Hostnames still active!

***Update #2 Related IP address in a block owned by IronSource199.58.87.151. It contains interesting files that appear to be payloads for the Adware applications. Curiously a few are named ‘KAVcompatibilityCheck.cis‘ and ‘Symantec_Norton_IronSourcev5.cis‘. Here’s a zip of the files I downloaded from the URLs in VirusTotal. Can you analyze these?

Below I will investigate 3 domains. One belonging to the publisher, and the other two appear to funnel traffic using a referrer ID to a payload domain with round-robin DNS. Several of the IPs it resolves to belong to IronSource based on WHOIS Records. Other are unidentified but given the identical file structure and activity, I’d say there’s a great chance it’s all connected. As you scroll down you’ll find a piece of evidence. I encourage you to continue researching them and connecting the dots. Let me know what you find…

Domain #1googleonline2018.com

The landing page googleonline2018.com is a 116-day old domain registered by [email protected] at an IP address 149.28.73.46 that reportedly belongs to Vultr Holdings, LLC.

Example of the site ‘googleonline2018.com’:

A number of other domains are registered to this user with the word ‘Chrome’ or ‘Google’ in them.

Two other domains that stand out like the ‘atracksys.com‘ up top. They don’t seem to fit the profile of the fake Chrome sites. Below are ‘inccweb.com, and ‘necisoft.com‘ from 3-4 years ago.

Information on registrar:

Blog @ 163.com no logins since 2007 – http://richard86811.blog.163.com/

Pastebin link https://pastebin.com/sai42Sdw has ‘456223’, ‘richard86811’, ‘868118918’, ‘[email protected]” in a DB dump of some kind that reveals another e-mail associated with the Gmail used to register these domains. The number 86 is the country code for China and 86-811-8918 could potentially be a partial phone number.

Names associated w/ domains: Jiaqiang Li (Jiangmen & Guangdong, China) and Chen Weilong (Guangdong, China)

Domain #2: drivedowns.com

This domain is the initial redirector after you click Download Chrome. It’s a 20-day old domain currently being protected by Cloudflare. It’s not uncommon to see malicious sites behind Cloudflare. I’ve made dozens of attempts to report abuse to this vendor only to be rebuffed and told that “Our service is a pass-thru and we do not control the content of our customers”.

The VirusTotal results show not only that this domain is rated Malware by Fortinet, PREBYTES, and Scumware.org but that others on the same IP appear to be backdoor PHP files and other malicious looking randomized type domains. Unrelated to this campaign but goes to show you that it can both protect the good guys, and obfuscate the real location of the bad guys.

Domain #3: tasetofeni.com

This domain is 101-day old and using rotating Amazon IPs since at least 10/08/2018 based on passive DNS. Not surprising as we see plenty of hacked AWS accounts, and/or fraudulent ones that attackers are controlling domains on with no legitimate front page.

Other files with different packing are showing various levels of detection with AV Agents.

Malware ChromeSetup.exe is detected as InstallCore or a basic dropper/trojan.

Click for JoeSandBox Analysis of these files and domain goes into depth:

Domain #4: reholessbegise.com (dev, img, remote)

The ChromeSetup.exe dropped file communicates with a couple of subdomains on a 35-day old domain reholessbegise.com using AWS DNS. There is a connection with this domain and IPs owned by IronSource at LeaseWeb. Also, many of the IPs that resolve have the ‘Babylon Toolbar‘ a piece of software made by Babylon Software Ltd in Israel.

img.reholessbegise.com is a domain that many images are pulled from for the ChromeSetup.exe file and there’s no shortage of IPs behind it.

We resolved them with Whatsmydns globally to find a round-robin of addresses:

IPs: [199.58.87.155 (Active) 199.58.87.110 (Old), 199.58.87.151 (Old) ] (IronSource Israel via LeaseWeb)

Note how IronSource’s IP range has plenty of misleading or downright fake file names. These aren’t files that are ‘communicating’ but ones that have been pulled down from these hosts.

Check out this list of 3,500 IronSource Domains most are still active!

Note ‘InstallCore.com’ is hosted off of this IP owned by IronSource. Here’s a discussion between two hackers on a forum below about doing Adware installs for them linking the companies together. InstallCore is an ‘IronSource’ service.

LeaseWeb identifies the customer in WHOIS records:

 

dev.reholessbegise.com is a domain we can see ChromeSetup.exe talks to this domain often as confirmed in the sandbox analysis

Note that each IP has a Virustotal link to see it’s activity:

IP: [54.201.95.158, 35.167.192.77] –  (Amazon AWS)

IP: [185.59.222.146] (CDN77.com/Netherlands)

IP: [46.166.187.59] [85.159.237.103] (NForce Entertainment B.V.)

IP: [95.211.184.67] – (Leaseweb)

IPs: [146.185.27.45, 146.185.27.53, 209.95.37.242] (Midphase

IP: [192.96.201.161] (CommPeak.com via LeaseWeb)

The ChromeSetup.exe file talks heavily to these hosts and grabs not only images but suspicious files. See the JoeSandBox analysis for all communications.

Oct 26, 2018 6129 OUT HEAD /ofr/Solululadul/osutils.cis HTTP/1.1
Accept: */*
Host: remote.reholessbegise.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

(SHA256: 168656b0a807e5fa2c016d637c0c02d83753919ac5a8f493895e9dddce1a916c)

Still working on this investigation…. Have any tips? Drop me a line in my contact form.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.