This evening, Barracuda Labs’ URL analysis system detected drive-by downloads originating from five Alexa top-ranked websites: hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com. Threatglass entries for these sites are available here, here, here, here, and here.
In every case, malicious content arrived via the site’s use of the Zedo ad network. Specifically, the following subchain is common to every site’s sequence of events.
<site index>
-> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js
–> hxxp://ss1[.]zedo[.]com/jsc/fst.js
—> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…>
—-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>
In the above subchain, ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content. The last site, xenon[.]asapparts[.]com, redirected to one of several different exploit kit-backed sites.
Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim’s system. The particular instance delivered via tonight’s campaign has a valid digital signature and appears to have been signed just hours before its distribution.
Per the screenshot below, initial VirusTotal results indicated 0/55 detections.
Those results have since improved, with additional tools now identifying the program as malicious. With any luck, the certificate used to sign the executable will be revoked soon.