Adware Empire – IronSource and InstallCore
A recent Adware campaign using malicious Bing ads led me to a Chrome download that eventually deployed Adware to the user’s computer. The IPs and types of Adware connected back to IronSource Ltd., Babylon Software Ltd., and InstallCore – all Israeli companies that have connections to Adware. See here, and here.
(Note: This was reported heavily by the media ZDNet, On MSFT, Inquirer, and Alphr in recent days. My discovery of the malicious ads was independent of any other source. My list of 3,500 IronSource Hostnames is exclusive, as is all of the IP research behind the Adware).
At this time, there appears to be a publisher that’s steering users to a network of sites that deliver a payload of Adware. Please note that I have made only tangential connections between said publisher and the aforementioned companies. Various IP addresses and analysis of the Adware point to IronSource as the controlling entity of the servers that the Adware is communicating with after it’s delivered. That’s not to say that IronSource is necessarily aware that a publisher (pay-per-install) is redirecting visitors to sites that impersonate Google Chrome.
The process began by searching Bing.com for “Download Chrome.” The ad at the top of the returned page below looks like a legitimate Chrome advertisement and has an “Ad” marker clearly visible, but it’s poisoned because it leads to a false Google Chrome domain.
Notice how the ad below says “Chrome is a fast,secure” browser. No, I didn’t make a typo – there is a missing space before the word “secure”!
The fake chrome website googleonline2018.com is presented to the user when they click the ad above.
Clicking ‘Download Chrome‘ leads the user to a URL:
Which leads to another URL with the payload:
^^ File above on VirusTotal (1/70) is only detected by BitDefender. Here’s the JoeSandBox Malware Analysis. Malware type delivered is DealAgent, which is considered as Adware.
We discovered a number of different Adware families being delivered from the hosts this file communicated with including Amonetize, BitVote Miner, Babylon Toolbar, InstallCore, Strictor, DealPly, InstallMiez (MacOS), OpenCandy, Optimizer Pro, SProtector, Crepreote, Advanced Mac Cleaner, Vittalia, OpinionSpy, Spynion, and Adware going by many other names across all of the IPs involved. There was also a prevalence of macOS unwanted programs and Adware communicating to these hosts, similar to a Command & Control infrastructure in malware. (JoeSandBox Malware Analysis)
A video below shows the full sequence of events:
A video below shows the full sequence of events:
We’ve compiled a video of the event and screenshots to walk through the process of encountering the Adware. In our video, the Antivirus Bitdefender blocks the attack, and it was the only one out of 70 other engines that detected it on VirusTotal. See JoeSandBox full analysis.
***Update #1. Check out this list of 3,500 IronSource hostnames still active!
***Update #2. Related IP address in a block owned by IronSource: 188.8.131.52. It contains interesting files that appear to be payloads for the Adware applications. Curiously, a few are named KAVcompatibilityCheck.cis and Symantec_Norton_IronSourcev5.cis. Here’s a zip of the files I downloaded from the URLs in VirusTotal. Can you analyze these?
Below, I will investigate three domains. One belongs to the publisher, and the other two appear to funnel traffic using a referrer ID to a payload domain with round-robin DNS. Several of the IPs it resolves to belong to IronSource, based on WHOIS Records. Others are unidentified, but given the identical file structure and activity, I’d say there’s a great chance they’re all connected. As you scroll down, you’ll find a piece of evidence. I encourage you to continue researching them and connecting the dots. Let me know what you find…
Domain #1: googleonline.com
The landing page googleonline2018.com is a 116-day-old domain, registered by [email protected] at an IP address 184.108.40.206 that reportedly belongs to Vultr Holdings, LLC.
Example of the site googleonline2018.com:
A number of other domains are registered to this user with the word “Chrome” or “Google” in them.
There are two other domains that stand out like the atracksys.com (1st domain name on list above). They don’t seem to fit the profile of the fake Chrome sites. They are inccweb.com and necisoft.com, listed below from 3 to 4 years ago.
Information on registrar:
Blog @ 163.com no logins since 2007 – http://richard86811.blog.163.com/
Pastebin link https://pastebin.com/sai42Sdw has “456223”, “richard86811”, “868118918”, and “[email protected]”. These are held in a DB dump (of some kind) that reveals another email associated with the Gmail used to register these domains. The number 86 is the country code for China, and 86-811-8918 could potentially be a partial phone number.
Names associated with domains: Jiaqiang Li (Jiangmen & Guangdong, China) and Chen Weilong (Guangdong, China).
Domain #2: drivedowns.com
This domain is the initial redirector after you click Download Chrome. It’s a 20-day-old domain currently being protected by Cloudflare. It’s not uncommon to see malicious sites behind Cloudflare. I’ve made dozens of attempts to report abuse to this vendor, only to be rebuffed and told that “Our service is a pass-thru and we do not control the content of our customers.”
The VirusTotal results show not only that this domain is rated as malware by Fortinet, PREBYTES, and Scumware.org, but that others on the same IP appear to be backdoor PHP files and other malicious-looking, randomized-type domains. These details are unrelated to this campaign, but it goes to show you that it can both protect the good guys and obfuscate the real location of the bad guys.
Domain #3: tasetofeni.com
This domain is 101-days-old and has been using rotating Amazon IPs since at least 10/08/2018, based on passive DNS. This is not surprising, as we see plenty of hacked AWS accounts and/or fraudulent ones where attackers are controlling domains with no legitimate front page.
Other files with different packing are showing various levels of detection with AV Agents.
Malware ChromeSetup.exe is detected as InstallCore or a basic dropper/trojan.
Click for JoeSandBox Analysis of these files and domain goes into depth:
Domain #4: reholessbegise.com (dev, img, remote)
The ChromeSetup.exe dropped file communicates with a couple of subdomains on reholessbegise.com, a 35-day-old domain using AWS DNS. There is a connection with this domain and IPs owned by IronSource at LeaseWeb. Also, many of the IPs that resolve have the Babylon Toolbar, a piece of software made by Babylon Software Ltd. in Israel.
img.reholessbegise.com is a domain that many images are pulled from for the ChromeSetup.exe file and there’s no shortage of IPs behind it.
We resolved them with Whatsmydns globally to find a round-robin of addresses:
IPs: [220.127.116.11 (Active) 18.104.22.168 (Old), 22.214.171.124 (Old) ] (IronSource Israel via LeaseWeb)
Note how IronSource’s IP range has plenty of misleading or downright fake file names. These aren’t files that are ‘communicating’ but ones that have been pulled down from these hosts.
Check out this list of 3,500 IronSource Domains most are still active!
Note ‘InstallCore.com’ is hosted off of this IP owned by IronSource. Here’s a discussion between two hackers on a forum below about doing Adware installs for them linking the companies together. InstallCore is an ‘IronSource’ service.
LeaseWeb identifies the customer in WHOIS records:
dev.reholessbegise.com is a domain we can see ChromeSetup.exe talks to this domain often as confirmed in the sandbox analysis
Note that each IP has a Virustotal link to see it’s activity:
IP: [126.96.36.199, 188.8.131.52] – (Amazon AWS)
IP: [184.108.40.206] (CDN77.com/Netherlands)
IP: [220.127.116.11] [18.104.22.168] (NForce Entertainment B.V.)
IP: [22.214.171.124] – (Leaseweb)
IPs: [126.96.36.199, 188.8.131.52, 184.108.40.206] (Midphase)
IP: [220.127.116.11] (CommPeak.com via LeaseWeb)
The ChromeSetup.exe file talks heavily to these hosts and grabs not only images but suspicious files. See the JoeSandBox analysis for all communications.
|Oct 26, 2018
||HEAD /ofr/Solululadul/osutils.cis HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Still working on this investigation…. Have any tips? Drop me a line in my contact form.