Adware Empire – IronSource and InstallCore

Adware Empire – IronSource and InstallCore

A recent Adware campaign using malicious Bing ads led me to a Chrome download that eventually deployed Adware to the user’s computer. The IPs and types of Adware connected back to IronSource Ltd., Babylon Software Ltd., and InstallCore – all Israeli companies that have connections to Adware. See here, and here.

(Note: This was reported heavily by the media ZDNetOn MSFTInquirer, and Alphr in recent days. My discovery of the malicious ads was independent of any other source. My list of 3,500 IronSource Hostnames is exclusive, as is all of the IP research behind the Adware).

At this time, there appears to be a publisher that’s steering users to a network of sites that deliver a payload of Adware. Please note that I have made only tangential connections between said publisher and the aforementioned companies. Various IP addresses and analysis of the Adware point to IronSource as the controlling entity of the servers that the Adware is communicating with after it’s delivered. That’s not to say that IronSource is necessarily aware that a publisher (pay-per-install) is redirecting visitors to sites that impersonate Google Chrome.

The process began by searching Bing.com for “Download Chrome.” The ad at the top of the returned page below looks like a legitimate Chrome advertisement and has an “Ad” marker clearly visible, but it’s poisoned because it leads to a false Google Chrome domain.

Notice how the ad below says “Chrome is a fast,secure” browser. No, I didn’t make a typo – there is a missing space before the word “secure”!

 

The fake chrome website googleonline2018.com is presented to the user when they click the ad above.

 

 

Clicking ‘Download Chrome‘ leads the user to a URL:

files.drivedowns.com/direct/?cod=24620&name=GoogleChrome
🍪
302 Redirect
Which leads to another URL with the payload:
www.tasetofeni.com/y94jg5t/ChromeSetup.exe 
SHA1:a61c027efb9c0ea3448ef584302c987af508a07d8347c20e8f373d847034ba7c

^^ File above on VirusTotal (1/70) is only detected by BitDefender. Here’s the JoeSandBox Malware Analysis. Malware type delivered is DealAgent, which is considered as Adware.

We discovered a number of different Adware families being delivered from the hosts this file communicated with including Amonetize, BitVote Miner, Babylon Toolbar, InstallCore, Strictor, DealPly, InstallMiez (MacOS), OpenCandy, Optimizer Pro, SProtector, Crepreote, Advanced Mac Cleaner, Vittalia, OpinionSpy, Spynion, and Adware going by many other names across all of the IPs involved. There was also a prevalence of macOS unwanted programs and Adware communicating to these hosts, similar to a Command & Control infrastructure in malware. (JoeSandBox Malware Analysis)

A video below shows the full sequence of events:

A video below shows the full sequence of events:

We’ve compiled a video of the event and screenshots to walk through the process of encountering the Adware. In our video, the Antivirus Bitdefender blocks the attack, and it was the only one out of 70 other engines that detected it on VirusTotal. See JoeSandBox full analysis.

Deeper Investigation

***Update #1. Check out this list of 3,500 IronSource hostnames still active!

***Update #2. Related IP address in a block owned by IronSource199.58.87.151. It contains interesting files that appear to be payloads for the Adware applications. Curiously, a few are named KAVcompatibilityCheck.cis and Symantec_Norton_IronSourcev5.cis. Here’s a zip of the files I downloaded from the URLs in VirusTotal. Can you analyze these?

Below, I will investigate three domains. One belongs to the publisher, and the other two appear to funnel traffic using a referrer ID to a payload domain with round-robin DNS. Several of the IPs it resolves to belong to IronSource, based on WHOIS Records. Others are unidentified, but given the identical file structure and activity, I’d say there’s a great chance they’re all connected. As you scroll down, you’ll find a piece of evidence. I encourage you to continue researching them and connecting the dots. Let me know what you find…

Domain #1: googleonline.com

The landing page googleonline2018.com is a 116-day-old domain, registered by [email protected] at an IP address 149.28.73.46 that reportedly belongs to Vultr Holdings, LLC.

Example of the site googleonline2018.com:

A number of other domains are registered to this user with the word “Chrome” or “Google” in them.

There are two other domains that stand out like the atracksys.com (1st domain name on list above). They don’t seem to fit the profile of the fake Chrome sites. They are inccweb.com and necisoft.com, listed below from 3 to 4 years ago.

Information on registrar:

Blog @ 163.com no logins since 2007 – http://richard86811.blog.163.com/

Pastebin link https://pastebin.com/sai42Sdw has “456223”, “richard86811”, “868118918”, and “[email protected]”. These are held in a DB dump (of some kind) that reveals another email associated with the Gmail used to register these domains. The number 86 is the country code for China, and 86-811-8918 could potentially be a partial phone number.

Names associated with domains: Jiaqiang Li (Jiangmen & Guangdong, China) and Chen Weilong (Guangdong, China).

Domain #2: drivedowns.com

This domain is the initial redirector after you click Download Chrome. It’s a 20-day-old domain currently being protected by Cloudflare. It’s not uncommon to see malicious sites behind Cloudflare. I’ve made dozens of attempts to report abuse to this vendor, only to be rebuffed and told that “Our service is a pass-thru and we do not control the content of our customers.”

The VirusTotal results show not only that this domain is rated as malware by Fortinet, PREBYTES, and Scumware.org, but that others on the same IP appear to be backdoor PHP files and other malicious-looking, randomized-type domains. These details are unrelated to this campaign, but it goes to show you that it can both protect the good guys and obfuscate the real location of the bad guys.

Domain #3: tasetofeni.com

This domain is 101-days-old and has been using rotating Amazon IPs since at least 10/08/2018, based on passive DNS. This is not surprising, as we see plenty of hacked AWS accounts and/or fraudulent ones where attackers are controlling domains with no legitimate front page.

Other files with different packing are showing various levels of detection with AV Agents.

Malware ChromeSetup.exe is detected as InstallCore or a basic dropper/trojan.

Click for JoeSandBox Analysis of these files and domain goes into depth:

Domain #4: reholessbegise.com (dev, img, remote)

The ChromeSetup.exe dropped file communicates with a couple of subdomains on reholessbegise.com, a 35-day-old domain using AWS DNS. There is a connection with this domain and IPs owned by IronSource at LeaseWeb. Also, many of the IPs that resolve have the Babylon Toolbar, a piece of software made by Babylon Software Ltd. in Israel.

img.reholessbegise.com is a domain that many images are pulled from for the ChromeSetup.exe file and there’s no shortage of IPs behind it.

We resolved them with Whatsmydns globally to find a round-robin of addresses:

IPs: [199.58.87.155 (Active) 199.58.87.110 (Old), 199.58.87.151 (Old) ] (IronSource Israel via LeaseWeb)

Note how IronSource’s IP range has plenty of misleading or downright fake file names. These aren’t files that are ‘communicating’ but ones that have been pulled down from these hosts.

Check out this list of 3,500 IronSource Domains most are still active!

Note ‘InstallCore.com’ is hosted off of this IP owned by IronSource. Here’s a discussion between two hackers on a forum below about doing Adware installs for them linking the companies together. InstallCore is an ‘IronSource’ service.

LeaseWeb identifies the customer in WHOIS records:

 

dev.reholessbegise.com is a domain we can see ChromeSetup.exe talks to this domain often as confirmed in the sandbox analysis

Note that each IP has a Virustotal link to see it’s activity:

IP: [54.201.95.158, 35.167.192.77] –  (Amazon AWS)

IP: [185.59.222.146] (CDN77.com/Netherlands)

IP: [46.166.187.59] [85.159.237.103] (NForce Entertainment B.V.)

IP: [95.211.184.67] – (Leaseweb)

IPs: [146.185.27.45, 146.185.27.53, 209.95.37.242] (Midphase

IP: [192.96.201.161] (CommPeak.com via LeaseWeb)

The ChromeSetup.exe file talks heavily to these hosts and grabs not only images but suspicious files. See the JoeSandBox analysis for all communications.

Oct 26, 2018 6129 OUT HEAD /ofr/Solululadul/osutils.cis HTTP/1.1
Accept: */*
Host: remote.reholessbegise.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

(SHA256: 168656b0a807e5fa2c016d637c0c02d83753919ac5a8f493895e9dddce1a916c)

Still working on this investigation…. Have any tips? Drop me a line in my contact form.

Talking about Security Pt 1

Talking about Security Pt 1

No Comments

In a world full of remote systems, interfaces and unlimited risk for internet connected systems, we are in most cases helpless to defend ourselves. You can only imagine how much experienced computer people want to keep everything under the grasp of control, but that’s not always the best move, or the best solution.

In some cases, that frame of mind means you produce less options, and only a partial solution to the problem at hand.

As an example, you shouldn’t avoid “hybrid” cloud solutions, or look at risk as an “all or nothing” type of engagement. Standing one leg up in the cloud can give you a foothold in the risk department. For example, some providers will leverage a hosted service to offset the risk of bringing it in-house. This doesn’t necessarily mean the entire platform, but just that single component itself.

It sounds fragmented, but its all about how you unify it to the end-user anyways.

A few useful and dominant players in the hosted Platform-as-a-service space space are Incapsula and CloudFlare. Both of these providers offer a hosted protection platform for websites. It is possible to obscure the true location by using web name redirect; putting them directly in-front of the oncoming traffic.

The service scrubs it clean, and send if off to you to serve up content. This is an ordinary cost and very much a solution for those sites where you don’t need to explore security in the corporate cloud. Just on the edge, something that complements the existing infrastructure, transfers risk, and stands as an operating cost.. no big Capex or installation woes here.

But, what should you do when IT threatens that precarious sense of control you have?

What if you don’t have complete control over the system?

Sometimes, you just need to talk about security.

Here’s an example… About 6 months ago, I had a discussion with my bank and a local rep (on-site) about capabilities with regards to protecting accounts. This was purely for my own research as I had a specific concern about commercial accounts. The Bank was open to the talk, but didn’t have much to promise me in terms of what could be done.

This has been my primary location of banking for a number of years, so I figured it was worth a try to approach it the logical way. At least to stay where I was at, minimal discomfort and pain in migrating. All I had to do is send a message afterall. I’d be forced to call if I were to cancel the account!

What was missing?

No picture/object/secrets scheme available at log-on

Lack of email notifications for specific types of events

Inability to restrict ACH/EFT transfers (in any way, to any place)

No multi-factor authentication using phone, text, app available

None of my 100s of random internet purchases or vacations had tripped a fraud system.

Gave it another 6 months and they rolled out almost all of these features. The bank developed a road-map, and advanced mobile/two-factor authentication for all of its users. Wooho!

As a disclaimer, I have worked in environments with thousands of banks as clients. It helps to know where it hurts, but I used only a basic analytic approach and potentially 30 minutes of my time.

Did I do that? One can never know… but that message alone may have gone right to the decision makers. I spoke a lot about the capabilities of the organizations closest competitors. These rules of business are universal and eternal, and if you haven’t recently, trying talking about security some time.

It might be up to the IT department to have that conversation in the end, but it still helps to egg them on…