2015-10-15 - Trick

A DoubleClick https open redirect used in some malvertising chain



In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.

The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.

As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)

Earlier this year they were using https bit.ly,

2015-07-11 - bit.ly as https url shortener
tiny url

2015-07-11 - tiny url as https url shortener

or goo.gl url shortener



2015-06-12 - goo.gl as https url shorterner


 and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.eu

Two pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer
(how/why? same payload : Reactorbot  srvdexpress3 .com)
Different Legit part of the chain
2015-09-29
then 2 weeks ago mediacpm.com and wrontoldretter.eu )

https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).
Once discovered a way to Sig this is to flag the ssl certificate being used.

Those days they are using a DoubleClick https open redirect.

VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EK
GB - 2015-10-15

Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .com

Doubleclick has been informed about the issue.

Post Publication Readings :
The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - Proofpoint
Let’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro