This evening, Barracuda Labs' URL analysis system detected drive-by downloads originating from five Alexa top-ranked websites: hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com. Threatglass entries for these sites are available here, here, here, here, and here.
In every case, malicious content arrived via the site's use of the Zedo ad network. Specifically, the following subchain is common to every site's sequence of events.
<site index>
-> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js
–> hxxp://ss1[.]zedo[.]com/jsc/fst.js
—> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…>
—-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>
In the above subchain, ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content. The last site, xenon[.]asapparts[.]com, redirected to one of several different exploit kit-backed sites.
Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim's system. The particular instance delivered via tonight's campaign has a valid digital signature and appears to have been signed just hours before its distribution.
Per the screenshot below, initial VirusTotal results indicated 0/55 detections.
Those results have since improved, with additional tools now identifying the program as malicious. With any luck, the certificate used to sign the executable will be revoked soon.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn and follow her on Twitter here.