Players threatening to use malsmoke, one of the biggest advertising campaigns we have seen in recent months, have changed the tactics of using malware.
Exploitation kits are still used as a platform for the distribution of malware. In 2020 we saw several advertising campaigns that led to the creation of RIG, Foulout, Spilevo, Purple Fox and others.
And in September we published a blog post describing a wave of malicious advertising on adult websites. One of these campaigns, which we have called malsmoke, has been active since the beginning of the year. The special thing is that she followed the best adult portals and did not stop working for a few months.
Since mid-October, the threat actors behind the malsmoke seem to have abandoned the supply chain of exploitation kits in favour of a social engineering scheme. The new campaign misleads adult website visitors with a fake Java update.
This change is important because it significantly increases the audience and is no longer limited to Internet Explorer users with outdated software.
Best advertising boy for a few months
The name of the malsmoke campaign comes from the most common cargo that has fallen through a series of fallouts, the Smoke Loader.
Although we see a number of malicious networks, most come from networks with low quality traffic and surreptitious advertising. Malsmok goes to adult portals with a lot of traffic hoping to get as many infections as possible. For example, Malsmok will be present for a few months at xhamster [.] com, a website with 974 million monthly visits.
#Malmö’s malicious advertising campaign continues on xhamster and other leading websites #
In addition, #FalloutEK seems to have added a new VM check which sends the 404 back to the payload session. If your sandbox looks good, the last session 200 should come back and be binary. pic.twitter.com/qPaF6z9PKt
– MB Threat Intel (@MBThreatIntel) 21. September 2020.
Figure 1 : Twitter about the continuation of malicious attacks on a popular adult website.
Despite this successful launch, Malsmok disappeared from our radar and we recorded the last activity on the 18th. October. A few days earlier (16 October) our telemetry had recorded a new advertising campaign using a bait page with images of adults posing as film.
- Adult website : bravoporn[.]com/v/pop.php
- Advertising network: tsyndicate[.] com
- BeMob ad: d8z1u.bemobtrcks[.]com/
- Adult website: pornguru.com/online/B87F22462FDB2928564CED
A few weeks later, this campaign added a new domain as part of the redirect chain, but we see that they are linked (with the same identifier in the URL).
- Adult website: xhamster[.] com
- Advertising network: tsyndicate[.] com
- Re-alignment: Landing sample […] online
- Ace for adult websites: pornographic life […] online/B87F22462FDB2928564CED
This portal serves as bait to tempt people to watch adult videos that do not really exist. Instead, users are invited to download a fake Java update that is malicious.
Figure 2 : Adult bait models that lure users with fake videos
Further investigation of the model used and the network indicators showed that the latter malicious campaign in fact belongs to the same malicious actors that previously used exploit kits.
Figure 3 : Comparison of traffic patterns and sequences between a series of exploits and shares.
We noticed the same template for adult movie pages, with a small correction (a typo in the page title, which could be due to the layout of the Russian keyboard).
In addition, the newest domain name pornislife[…] was registered online with the same email address [email protected][…] com, which is linked to a number of other web properties previously associated with malsmoke portals.
Figure 4 : The same e-mail address of the registrant as the e-mail address of the malware actors.
The Malsmoke operators have been running successful campaigns for the exploitation kits for several months now, but in October they decided to switch to a new social engineering programme. However, the advertising channels remained similar as they continued to misuse popular adult portals and the Traffic Stars’ advertising network.
New Social Engineering Tip
The new system works with all browsers, including those with the largest market share, Google Chrome. That’s how it works: When you click on a clip for adults to view it, a new browser window appears with something similar to a grainy video (the black stripes are ours) :
Figure 5 : Adult video clip used as bait
The movies are played for a few seconds with sound in the background until a message appears that the Java 8.0 plug-in has not been found.
The video file is a 28-second MPEG-4 clip that is specially displayed with a pixel image. It is designed to make users believe they have to download the missing program, although this is not useful.
Figure 6 : The video clip was made by the actor of the threat…
Threatening topics could have developed this fake plugin update in any form. The choice for Java, however, is a bit strange, because it usually has nothing to do with streaming video. Those who click on the so-called update and download it may not be aware of it, and that’s all that matters.
Figure 7 : Fake Java update dialogue
This fake dialogue is similar to the missing HoeflerText font used in the EITest bypass systems. EITest was also known for using exploit kits to spread malware and eventually adopted this social engineering trick to reach more users, especially those using the Chrome browser.
Load capacity analysis
Threateners have essentially developed their own usefulness for loading loads remotely, with the advantage that they are not easily detected. If you remember, Malsmoke used to rely on the Smoke Loader to distribute its load, but now it has its own start-up charger thanks to a new evasive MSI installer.
Figure 8 : System Charging current to ZLoader
The forged Java Update (JavaPlug-in.msi) is a digitally signed Microsoft installation program that contains a number of libraries and executable files, most of which are legitimate.
Figure 9 : Contents of the MSI installation program
During installation, lic_service.exe downloads HelperDll.dll, the main module responsible for installing the final load.
Figure 10 : Code calling HelperRun DLL
HelperDll.dll uses the curl library available in the MSI archive to download encrypted useful information from movies […].
Figure 11 : Ask the backend server to provide the actual load capacity
This is ZLoader malware which is then written to disk and executed as such:
ZLoader is integrated in the new msiexec.exe process to communicate with its command server via the DGA (Domain Generation Algorith). Once it has defined the response range, it starts loading several modules and finally the ZLoader itself is updated.
Figure 12 : Post-infection movement showing the door of the ZLoader.
On the left side of Figure 12 you can see the traffic generated by the ZLoader implants placed in msiexec.exe. On the right we see the implants left behind because of the same process. For more information about the ZLoader and its implants, see our article Silent Night Zloader/Zbot.
Development of the web threat system
Malsmoke was one of the largest distributors of malicious advertisements and exploits kits that ended up on well-known websites.
While we thought the actor who posed the threat was quiet, they just changed tactics to expand their activities. Instead of focusing on just a small percentage of visitors to adult websites where Internet Explorer was still working, they have now extended their reach to all browsers.
Because there are no vulnerabilities and because it exploits expensive software, social engineering is an excellent option because it is cost-effective and reliable. As far as threats to the Internet are concerned, such systems will continue to exist for the foreseeable future.
Malwarebytes Browser Guard has already protected users from this malicious campaign. We also detect the MSI installer and ZLoader payloads through our malicious Windows tanks.
Figure 13 : Director of the anti-malware service that blocks browsers
Landing sample […] online
Adult bait portal :
pornographic life […] online
MSI installation program :
Film Hunter website
ZLoader C2 :