Malvertizing Like a PROA JUMP INTO THE NEWEST ATTACK VECTORTAKING IT TO THE NEXT LEVEL

Introduction

• Pen-Tester with Veris Group • Previous ARMY• How to find me:

• @Killswitch_GUI• CyberSyndicates.com

Warning!What I'm not:

A SME in Malware or Reverse Engineering Part of a Cyber Crime ring performing this everyday

What this is: My take on Ad based malware My journey on how I would execute it Pure speculation of what's open source

What we will cover Ad Based Malware Touch of OSINT My Campaign Methods and Failure

ALL DATA Collected using Open Source methods

Overview Forming an attack based on

Strategic Malvertising using targeting principles What is Malvertising What's Malvertising vs Strategic Malvertising What makes this so important ( What don't I

already know) Potential methods it can be used to conduct social

engineering How to target specific completely unknown, specific

individuals within a demographic group? How effective it is and is it worth the resources

required?

Current Malware Trends Phishing still effective Major increase in Ad Delivery - 350% Secondary and Trusted C2 being used

(Covert C2) Duke / Cloud Duke Toolsets Twitter / OneDrive / Cloud Storage

Web Exploit Kits from years ago still working C2 is becoming difficult to detect

Out of Band Communications Implied Trust (WE WILL COVER THIS)

Notable Cases : APT 29: HAMERTOSS Flash Zero Day Ad Based

Talking money

Delivering malware to generate AD traffic Text / HTML AD’s Video AD’$

Delivering Randsomware Crypto

Legit Business cost publishers more than $21.8 billion in

2015 in lost revenue

Impacting Legit Business

What is Malvertizing? It is the use and abuse of Ad services

for attackers to deliver malicious content, using ad service providers vast network of audience. They can leverage this legitimate function to distribute their malware.

Many forms of malware based ad-ware attacks exist Compromised Ad-Companies Impersonation of legitimate companies Malware being hosted in AD’s Legitimate Targeted campaigns

Core Fundamentals Major players

Google Facebook* Microsoft

Main Types of Delivery methods Social media marketing Sponsored search

Compensation methods CPM (cost per mille) CPE (cost per engagement) CPC (cost per click) CPV (cost per view)

Core Fundamentals Cont. Ease of deployment (availability)

The targeting platform Is already built

Benefits of Web Ad’s: Cost – There is a reason why AD

profits are in the Billions Measurable – Powerful analytics and

cross platform support is built Targeted?

Big Data Analytics Analytical engines at your finger

tips Broad – Zip code Specific – Job title

Extremely Accurate Most Ad-Delivery systems display

potential reach Target research methods

We give our data away for free..

Malvertizing in the Wild AD injection:

Exploitation of routers and redirecting DNS Attacker can simply redirect normal AD

traffic query's and place their AD in play This has been used to replace Google analytics JS

code and ADs

Passive Collection of AD data capabilities of Ad / Tracking

This data can be sold or used for other Intelligence Collection Campaign's

Canadian ISP was caught MITM in 2014 stealing data from HTTP AD traffic

Malvertizing in the WildExploit within AD traffic:

Using obfuscated flash exploits attacks are able to launch exploits from legit AD’s

Exploit AD Companies: Campaign is put in motion after

gaining access to AD serving organization

Redirects traffic to Exploit Kit Drop Exploit Kit of choice: Angler etc.

Begins Click Fraud activity

Malvertizing in the Wild

AD Fraud Exploit Kits:Increasing dramatically!Powelike’s: later versions

sported Ad-Clicking Component Kovter:

Evolved from stand alone to fully deployable with other exploit kits like Angler, Nuclear Pack

Allows for even Flash based Video Ads to be played for high ROI

Blue Team / Defenders So why should I care?

Online attack surface has greatly reduced Phishing is still Hot! Circumventing millions in security: email /

Phishing With that comes every vendor in the sector with:

Sandbox appliances Content Filtering Spam Filters

Delivery method is trusted: Do you block Twitter / Facebook / Google? Reputable sites?

AD Delivery / C2 Chanel all on one platform Good luck finding that

Systematic problem

Why it isn’t a Script Kiddy solution Why it has to be funded..

It takes money to make money ROI - It makes more money than

put in? Implied Trust of many Ad-Agency’s

and sites using their services

My take on AD Delivery

My Methodology / Target Selection

DemographicNomination

TargetSelection

SE/OSINTResearch

Campaign Development

Reputation Development

Deployment

Digging into Targeting

Calculating Reach Reach is an important factor of

targeting Gives you a metric to calculate potential

demographic Need to judge a organizations size /

Facility Activity / increases or presence? Employees Geographical location

Important concept for OSINT Will I even have impact?

Recon / Sampling reach

Selecting a Sample Cont.

OSINT Open Source Intelligence Collection

Applications Used in many types of operations

Penetration Testing Physical Assessments Targeting

Levels: Physical - Things we can touch and see Logical - Things over the wire Individual- Persona Layer / Exploiting the nature of

Humans

Questions that Need to Asked

What time frame will be effective? Work Hours: After Hours:

What System will I be targeting to reach my target audience Mobile Platform:

We may even be able to target exact OS Desktop OS Laptop Users traveling?

May not be patched for a short period of time

Need to deliver based on schedule? No Prob!

Exploit only works on XP or exact OS, on IE ? No Prob!

Mobile Exploit? Certain Mobile OS? By Brand?

Exact mobile brand? Exact Model!?

Yea this is scary granularity!

Power of Big Data Targeting

Small Meta-Data that is data… WIGLE

WIGLE + compromised Host = Potential Geographical location

Orientate an attacker Can be done with so many methods…

Query registry for past locations Ability to build a timeline (Forensic Capability)

Social-Mention HONEY BADGER – Tim Tomes

Power of OSINT ICWATCH:

https://transparencytoolkit.org https://github.com/transparencytoolkit

Don’t Suggest that but..

Think Nation State? “Hacking Team” - Beat a dead

horse anyone? De Anonomonyzing Location

based on WLAN interface Un-Cloaking physical Locations

Offensive Targeting Imagine a world where you could

deploy your malware only to people: Making 100k+ Work for: “fill in agency here”?

More advanced campaigns being deployed? Crime Collection

Could support the IC effort of many countries Getting into deep water..

Traditional Targeting Phishing Campaigns –Social Engineering

for *clicks*

Phishing Very Common / Known

Methodology Very successful on engagements

This Same principle is how I created AD’s Changing surface / Constraint of phishing

Lack ability to pin point demographics The days of dumping every user in directory using ( * )

may be gone Training increased / Trust has decreased in email TONS OF APPLIANCES protecting email! SPF Records / Correctly configured Mail servers verifying

multiple fields of mail

Combined with a touch of SE

Same principles as Phishing Move over

Trending Results using Facebook Selecting SE topic Using topic

That SEO thing Another Great SE technique to get a

campaign off the ground Another important aspect to SE or Any

Targeting. You wouldn't’t launch a Phishing Campaign saying

your Marketing coming from it-support.net Using SEO Tools to build (BUY):

Instant Reputation Instant Legitimacy

I attempted this but sadly during testing FB cracked down!

What this means

I can now target at a: Physical Layer Logical Layer

I can correlate targets Using Demographics Location Jobs / workplace / salary etc.

One Week Campaign

Setup

Domain Name (Something Reliable)

VPS (Hosting) / Apache Vhost’s / Static Content

Analytics (Google-Analytics) Ad Campaign (Facebook)

$20 a campaign A good idea to SE

SE AD Targets

Augusta, GA – Broad Target AD Any one in 25mi Range

Augusta, GA – Targeted Demographic AD Any one in 25mi Range Employer Specific Time Range

AD Types: Web-Site clicks Post Promotion

Setup Analytics

Building a Relevant Page Targets: Augusta, GA Target Demographic: Cyber /

Location Based

Building AD #1 – Broad Target

Select Control :

How do I get them to take notice? Tag-Line : Needed to be something Impactful Deceiving: Had to be Believable but wont

deliver 100% truth. Enticing Image: Most important Aspect,

everyone loves images

Build out Clone Site Used Httrack for cloning of legit

Data.. FB has too catch this!

Build out Config Left these for testing their

“Review”

Put in some Meta Tags for Picture Population

Removed all the original Google Tracking JS so we don’t pop up under their account.

Ad #1 Videos are very successful

marketing tools Can be easy wins

AD #1 – Not so fast

They actually enforce some polices I found out :/

AD #1 Cont.

AD #1 Setup

AD #1 Optimization

AD #1 Optimization cont.

AD 2# Setup

http://chronicle.augusta.com/news/business/2014-02-27/cyber-general-touts-benefits-fort-gordon-growth

AD #2 – Targeted Demographics

Selected Topic / Control: Certain location “Fort Gordon”

Target: How do I get them to take notice?

Tag-Line : Home Values “I may have some inside knowledge”

Hint: Its about what a ton of people talk about in this area.

Deceiving: Large Increase coming! Target Details Matter for Accuracy:

Life Style Devices / Platform Work hours

Website? Lets test that review process:

Submit a simple WordPress page with a embedded video. Than remove for the duration of the test

Host a simple index.html with JS for GA Questions that should be asked

and how the relate to malware: Will they detect this major change? Can some one even report a shady link? How long will it stay up?

AD #2 Demographics

AD #2 Configurations / AD Placement

AD #1 Analytics

Drilling Down on Geo GA makes Geographic analytics streamlined and

Accurate down to the city 25 mi range on Augusta, GA seems pretty

accurate!

Service Providers Makes tracking specific targets quite helpful Tracking user agents in GA is simple

AD #2 Analytics - Web Clicks

Geographic Stats

(not set)

Am I really Hitting my Target?

Geographically its easy to say “YES” Accurate GEOIP API services by google

What about Demographic: Harder to determine true accuracy Service Providers can be a major Identifier if they

use a certain ISP or have their own! Page Interaction can be a HUGE

identifier Likes Comments

Am I really Hitting my Target? (not set)

Found 95 sessions of 273 to be (not Set) as the ISP…

Could this be proper filtering / Ammonization? Take the time and verify your results

Also always resolve domain name! This data was reassuring that I was on the right

track

Am I really Hitting my Target cont.

Facebook Likes / Comments: Helps performs post analysis of

the target audience All 8x likes where affiliated with

my target audience.

Putting it in Context One guy with limited funds and some time Conducted 2 Ad campaigns

Each campaign took 6 hours from OSINT to Delivery Each campaign ran one week at $20 each Campaign 1 had 143 engagements, 2k reach Campaign 2 had 219 engagements, 3k reach

Calculation: Well funded group with 10k budget for a campaign and 160

hours. On avg .09 cents per unique engagement

Potential = 26 unique AD’s , 111,111 Engagements, and 1.5M Reach!

I would consider this extremely effective mean of a targeted campaign.

Major Findings Review process is a joke:

Couldn’t detect a clearly cloned website by static HTML source

The cloned website still had complete favicon / logos / static source of the cloned website

Do they even scan for malware? Continued monitoring

Set up a page and immediately removed it and replaced with a simple index.html page with JS

Ran for one week and didn't’t raise one flag? I can simply submit an ad and host malware 10 mins

latter?

Are Ad-Agency’s protecting us

Google Moving to Encrypted Ads June 30th Only Protects Ad injection at the network

layer (Compromised Routers) Facebook

RiskIQ - monitoring advertising pages to protect users from malicious ads

Interesting collegial research on detecting cloned pages

Getting The Most out a Campaign Tip’s

Proper recon is crucial Proper SE campaign must be

relevant with your target. Holistic view of an ad:

How do I view ad’s as a user? What do I click on and what do I not? Videos / Posts / News

CPC Compensation

Twitter How I Hate you Rule one: Don’t buy bots and get

caught in the Sec industry

@jaredcatkinson

Lessons Learned

Twitter is a news source not so much of a social source. Although they have just as powerful analytic

engines when it comes to AD delivery Scary Easy to run a simple yet

targeted campaign with relatively accurate results

• Big shout out to:• @Slacker007 – keelyn roberts• @Hashtagcyber – Matt Domko