Angler EK Malvertising via Hacked Revive Adserver

Malware are spread by various methods such as phishing emails, malicious URLs, and more. One of the most prominent methods is using exploit kits, such as the infamous Angler Exploit Kit (EK), to spread malware to users when they visit infected sites. To cast as wide a net as possible, malware writers try to infect popular sites, which are usually well protected.

A method called malvertising may provide attackers with a workaround to enable them to breach a site’s protections.  The attackers infect the servers which serve advertisements to popular sites, thereby compromising all the site visitors. The Check Point Research Team recently exposed such a campaign involving Revive Adservers. Revive Adservers  were previously used  to redirect users to Angler EK in order to distribute the Bunitu malware.

This time, Revive Adservers were infected by actors redirecting to Angler EK to distribute TeslaCrypt ransomware, as part of the rising trend of ransomware attacks. The following is an analysis of one of the many samples we came across that is especially interesting.


Compromised Webhosting Service

We encountered a compromised webhosting company, which serves Angler EK redirections via its ad server on customers’ websites.

The webhosting company also serves Angler directly as shown below:

figure 1


The payload in this flow is TeslaCrypt ransomware.

Flow of compromise:

figure 2 – redirect method known as EItest:

figure 3  – The landing page content always begins with quotes from Sense and Sensibility by Jane Austen. The client is then analyzed for weaknesses before an exploit attempt is made.

figure 4


Compromised Revive Adserver:

Angler’s operators weren’t satisfied with just compromising the webhosting company’s home page, and proceeded to turn the company’s ad server against its clients.

The affected version of Revive Adserver was old and unpatched, with many CVEs disclosed since its release. Attacking it was an easy first step in the infection chain.

figure 5


Let’s follow the infection chain:

figure 6


Flow of compromise:

figure 7


This infection process follows the same redirect method and landing page pattern as described above for the webhosting site.

This is an example of the code injected into the Ad iframe:

figure 8


This type of injected code is consistent with the “EITest” TDS actor.

Check Point software blades provide protection against all stages of the infection chain:

  • Anti-Virus and Anti-Bot Blades provide protection against all known variants of TeslaCrypt (Trojan-Ransom.Win32.TeslaCrypt; Operator.TeslaCrypt).
  • IPS Blade provides protection against all known variants of the Angler Exploit Kit

(Angler Exploit Kit Redirection; Angler Exploit Kit Landing Page; Angler Exploit Kit Landing Page URL; Angler Exploit Kit Landing Page Patterns).

In addition, SandBlast protects against such threats as part of its novel Threat Emulation technology. As you can see below, a recent sample uploaded to Virus Total was detected by only 5 out of 55 vendors. This is an extremely low rate, as this is not a new malware. Unlike traditional Anti Virus protection, SandBlast protects against malware variants that hasn’t been encountered previously.

figure 9


Appendix 1 – SHAs and MD5s

Redirect Flash details:
MD5: 7c43891f40c6760fbc2dfcedc2a7a339
SHA-1: 0e5110ea3b037bf010c3e0d7f482f2f83b309712


Angler Flash exploit details:
MD5: d661983acf10f04d5bcdee46aab4864d
SHA-1: 51382df30308b39675eea0fc05227729fcc82995


Payload details:
TeslaCrypt Ransomware
Filename: sxdqffb.exe
MD5: 2a6a5db07516f374180bd449044e900f
SHA-1: 3d79e3a4557e3f8436d1569bdb61e4778b9649e8