VPNの脆弱性に関する不安が広がっています。ZPAの60日間無料トライアルを利用して、VPNからの移行のメリットをお確かめください。

Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
セキュリティリサーチ

Malvertising Campaign Leading To Zemot

image
CHRIS MANNON
9月 19, 2014 - 2 分で読了
 


Malvertising has become a serious problem for advertisers and their clients alike. Times of Israel has been affected already by such an attack. During our analysis, we discovered multiple other legitimate websites affected by the same malvertising campaign. We have informed the website owners to take action. Below is a brief timeline of attack.

 

 

A legitimate site leveraging zedo advertisements is the first victim in this attack.  The malicious redirect chain goes to zedo[.]com which will redirect the user to static[.]thebutton[.]com/d2.php?ds=true&dr=.  

 

 

 
Image
The Malicious Redirect chain timeline.
 

 

Image
The obfuscated url that is being hidden is static[.]the-button[.]com

 

 

Image
The next link in the redirection chain goes to a Swedish site.


The redirect chain then leads the victim to inter[.]wiab-service[.]se/geobalancer/geo2.php?acc=[xyz]
&nrk=.  This is the final redirect that takes the user to [xyz][.]uni[.]me/ site where the Exploit Kit (EK) and eventually payload are sent to the victim.

 

 

 

Image
The Obfuscation here is the final link to the Nuclear Exploit Kit.

 

 

 

Image
Part 1: Nuclear Exploit Kit

 

Image
Part 2: Nuclear Exploit Kit

The whole purpose of this broad attack is to download the final payload which happens to be a variant of Zemot. It gets downloaded via a Kuluoz variant which has been tied to Zemot click fraud activity in the recent days.
 

Image
Kuluoz/Zemot infection phone home activity.

If you are unfortunate to have visited one of the many sites which have been compromised by this threat, one strong indicator of infection will be the existence of a batch file which matches the below format:

C:\Users\WIN7\AppData\Local\Temp\tmp37cd8110.bat

This malvertising campaign has been highly effective thus far and no site, despite its good intentions, appears to be given any quarter.

Zscaler is actively monitoring this threat and notifying any sites of compromise.

form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

dots pattern

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。