Malware-Traffic-Analysis.net - 2015-01-28 - Ad traffic from lax1.ib.adnxs.com kicks off chain of events to Angler EK

2015-01-28 - AD TRAFFIC FROM LAX1.IB.ADNXS.COM KICKS OFF CHAIN OF EVENTS TO ANGLER EK

PCAP AND MALWARE:

ZIP file of associated artifacts: 2015-01-28-artifacts-from-malicious-ads-leading-to-Angler-EK.zip

SUMMARY

Since 2015-01-27, I've seen two examples ad traffic from lax1.ib.adnxs.com that generated a chain of events for the Angler exploit kit (EK). In the chain of events, both examples show an HTTP POST to 216.246.41.184 return HTML pointing to the Angler EK landing page.

NOTE: I haven't been able to recreate the chain of events, and I don't have a pcap to share.

TRAFFIC DETAILS

DATE/TIME: 2015-01-27 23:11 UTC

ASSOCIATED DOMAINS:

lax1.ib.adnxs.com - Legitimate domain points to ad with malicious script
162.244.34.7 - djs-media.com - ad with malicious script
216.246.41.184 - forget.whichfuneralflowers.co.uk - HTTP POST returns HTML directing to Angler EK
207.182.149.14 - priprijetili1emasculacion.homestretchtv.com - Angler EK

TRAFFIC:

lax1.ib.adnxs.com - GET /if?e=wqt_3QK[long string of characters]&referrer=http%3A%2F%2Fwww.homemediamagazine.com%2F
djs-media.com - GET /media/js/libs/files/javascript.js
forget.whichfuneralflowers.co.uk - POST /stansninged.html
priprijetili1emasculacion.homestretchtv.com - GET /x1n0nzwewy.php

DATE/TIME: 2015-01-28 16:22 UTC

ASSOCIATED DOMAINS:

lax1.ib.adnxs.com - Legitimate domain points to ad with malicious script
162.244.34.117 - online-marketing-maven.com - ad with malicious javascript
216.246.41.184 - forest.whichfuneraldirectors.co.uk - HTTP POST returns HTML directing to Angler EK
85.25.107.126 - resilierontdebert.realstoria.com - Angler EK

TRAFFIC:

lax1.ib.adnxs.com - GET /if?e=wqt_3QK[long string of characters]&referrer=http%3A%2F%2Fwww.videoeta.com%2F
online-marketing-maven.com - GET /rotator/libs/plugins.js
forest.whichfuneraldirectors.co.uk - POST /datalarkin.html
resilierontdebert.realstoria.com - GET /l86dvw7qfp.php
resilierontdebert.realstoria.com - GET /v_vVgrmBSX71eZvqsP_5YDrQYSFuj9K6-uIDN4Crc89676IuYUx6FJNP3jeJVluR

SCREENSHOTS FROM 2015-01-27

Malicious script from djs-media.com. Note the variable marked near the bottom of the image:

The full script above is available in this blog entry's zip file.

HTTP POST to domain on 216.246.41.184 returns HTML directing the host to an Angler EK landing page:

Angler EK landing page:

SCREENSHOTS FROM 2015-01-28

Malicious script from online-marketing-maven.com. Note the variable marked near the bottom of the image:

The full script above is available in this blog entry's zip file.

HTTP POST to domain on 216.246.41.184 returns HTML directing the host to an Angler EK landing page:

Angler EK landing page:

Angler EK sends Flash exploit:

No further traffic... The host was running the most current version of Flash, and the exploit was not successful.

FINAL NOTES

Once again, here's the ZIP file of the artifacts from this traffic:

ZIP file of associated artifacts: 2015-01-28-artifacts-from-malicious-ads-leading-to-Angler-EK.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.