The Trend Micro Advanced Threats Research has discovered a number of malicious URLs under the domain of global Internet advertising company, DoubleClick:
- hxtp://ad.doubleclick.net/click;h=ADWAJJzSVGmEDCBbJkMiTUfmdIhuADWAJJzS;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aHPDZwqljHnlNScXoBJgzRzaFppDaHPDZwql;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=ahRQJQoWHYpFFYzgAFizZJdQnlgvahRQJQoW;~ss cs=%3fhttp://www.{BLOCKED}otel.eu/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aKXFNafnFbXukmAZjmqAhawpjVYYaKXFNafn;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aMwjNqwdSMZFJUDKSnOUSUwsRiQLaMwjNqwd;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=AMZEPQvqcklBUaAiRxzguoHmlydDAMZEPQvq;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
All links interestingly lead to the file msvideoc.exe, which causes the affected system to connect to a remote site. Upon connection, it downloads a file detected by Trend Micro as TROJ_DLOAD.DI. This file then downloads a file detected as TROJ_MUTANT.GC. Note that the listed DoubleClick links however are already blocked.
TROJ_MUTANT variants typically perform routines that assist or are necessary to a main malware’s algorithm. Although merely a component, they do largely enable the successful execution of malware payloads.
In the past, cyber criminals have previously abused open redirect services (see entries Just Got Unlucky and Just Got Unlucky (AOL Version) to feign legitimacy. For one, it does become harder for antispam efforts to identify these links as malicious since the redirector is under a legitimate domain. Second, the link looks legitimate because of the familiar-looking domain at the beginning of the URL. However, a closer look at the final landing FQDNs show us that these fronts are indeed false.
Only Trend Micro Smart Protection Network (SPN) is in a position formidable enough to prevent the various points of entry malware writers may use in relation to this entire attack.
Related Posts:
