Industrial interior of an old factory building

The HookAds malvertising campaign

Not long ago we wrote about a new piece of malware called ‘Trick Bot‘ which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered another malvertising campaign that started at least in mid August, and which leverages decoy adult portals to spread malware. Internally, we call it the HookAds campaign based on a string found within the delivery URL.

What’s interesting in this specific attack chain is the use of adult sites injected with new rogue ad domains that change quite frequently. However, upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects. In this post, we take a look at the distribution channel and the rogue infrastructure behind HookAds.

Link with previous campaign

There is one distribution path that connects this campaign with the one we previously caught. In fact, much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month. Visitors to the first XXX site will be redirected to the decoy secondary site via a simple malvertising chain.


Malware (Ursnif): 3d26585fac57027df4a68fa282ebfcc818aabb59ae6627325c2c4201cd2d6b80

Converting adult traffic

We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an iframe to adult banner is injected dynamically. The ad is served from a third-party server which performs cloaking in order to detect whether this is legitimate new traffic or not.

Non-targets are served a banner ad which redirects to other adult sites, via legitimate ad networks. However, that same server can also serve a malicious script instead, whose goal is to redirect the victim to the RIG exploit kit (back in August, Neutrino EK was pushed). The overall flow can be summarized in the diagram below:


Fake ad server infrastructure

The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in.

Sponsoring Registrar: EvoPlus Ltd

Name Server: NS[0-9].TOPDNS.ME




Exploit kit and payload overview

This campaign yields a fair amount of traffic that is fed to the RIG-v exploit kit, the latest (VIP) version of  RIG EK. One of the early changes with RIG-v was a different landing page from the classic version, with the use of Unicode characters. Another change came more recently with new, less predictable URL patterns.


Below is a decoded portion of the RIG-v landing page (many thanks David Ledbetter) showing the new URL structure (thanks @malforsec for asking me about it).


The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF) which has the following very helpful features:

  • Code obfuscation and encryption using our proven technology
  • Prevent your SWF from running offline or on other websites
  • Allow your SWF to run for a given trial period only
  • Protect your SWF with a password

There were a lot of payloads dropped throughout this campaign (for a partial list of hashes,  please refer to the IOCs below).


The HookAds malvertising campaign is still running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit.




Malware hashes


329c033b15df3cb41dc9aed57272a0dd125f9c85f027ce2954b620261cf3d074 c15710703cbcbaa17324a69cb274b262795a5bd8700a89b3fa8abcf72e613f50 e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d 83a9f0f488e5f1046c5914b65877fb37e8ae7fa185f334cdc683cbd7e4614869 bd58161f66335f72614982d9f81c999cde3b2da8660e16cec15c298b2a995371 a96b468620ffa3f3a93198d99710c83a575206412e6a958c0c09007fcea05832 746d859772d0a7de26e47e2dfc2bf722eea90f65e0497a0e4d87e06f4ab183b8 c13ece2c81769af954fae66ee89ec0d2491bbb839d22f27bb9b048ea9e460d4a f473c2b4caf126a1b82284e2914838d18005c88a739355b42da16e5dc4caa3f4 124e4608528c013f4e14655d90beee3ded8c8b3aa54356a24d5c483c6818502a 03070471659084b60a05efcd5d252c3d7ed53089522dfbf816868a6eb0c947e4 85dd8381e73474b63aa5d70656cae94b6be5e863b6ff6287d981488538e6b99c 7b6bea5fec6da2782db6ac4d71414a3425d4605bcd8332d2e1f518d6388cae45 e2a2395da1b0ccac51a0ad858a8de95bc7664f753d4b9a86c8f866f8353136e6 4979bbceccbb991c909307d452666168ce660374079e299a13abae02c08960c1 429f1ec2ef25338c33bac28421e6ecb5e436211a7c56396bee3d4398ef4344ee e8abc7a39547bc1d6949bb8e2543bd6caddec8e873c441815a1d6c3ad2d63191 5b62f31b10cd19548ce294929827bf39d5c9c91ce5cc18391308b983363bf80f 94442f616763e37dc0ef7dd8358b80dfc07a4ae2b355c3fd39aa09957b300c78 61304505a4e2fbfc77dd4b6ce3cc01ebb1a6ab2d444b65e415bd9ac22dbeb899


Jérôme Segura

Principal Threat Researcher