At around 5AM PST today, our automatic website scanning system began to detect malicious contents being served from a top 10 global website. This lasted to around 8:30AM PST when, presumably, the website's operators disabled the malicious content.
Upon analysis, it appears that a malware is being served through the website's advertisement network. What's technically interesting about this case is that the malware (an 'exploit kit') is being pushed though AJAX. This is something that was previously done only in small scale exploit kit campaigns.
Figure 1. An AJAX response containing the landing page.
An interesting side effect of sending the exploit kit though AJAX is that it leaves no trace in the victim's computer. Usually the web browser would write the landing page as a temporary file to the computer. However, in this case, since an AJAX JSON response is not a web page, the web browser will not leave behind any file.
This campaign appears to be a continuation of a previous campaign by a known malicious actor. Late last week, we began to detect a new type of exploit kit attack that shared much of the code that was used in this particular case. However in last week's samples, the landing page was not embedded inside the AJAX response. Over this weekend, however, the attacker has modified the code to work on this website's advertisement distribution network.
The core of this week’s attack uses MS14-64, the OLE VBScript REDIM Unbounded Array Memory Corruption vulnerability. The payload is tightly protected by six layers of obfuscations. Again, this is something that was rarely observed (normal exploit kits only have three layers of obfuscations).
Figure 2. The obfuscation chain having six layers.
Given the ubiquity of the website's advertisement network, even a short infection window should have netted the operators many new infected hosts.
The good news is that Fortinet can detect the exploit as VBS/YeaGun!exploit.CVE20146332, which has been around since November of last year. We were able to catch it on our network before it did any damage, but this is a sophisticated, novel approach that bears watching.