ARP Spoofing Used to Insert Malicious Adverts

October 19, 2017 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.

The open file server at http://222.186.11[.]182:9999

The Rar Archive

One of the files on the server, 11.rar, contains this batch script:

The file 哈迪斯技术组ARP工具(Hades Technology Group ARP Tools).bat

Zxarps - An ARP Spoofing Tool

This batch script executes a tool known as zxarps  (https://github.com/sincoder/zxarps). Zxarps is an ARP spoofing tool that has been publicly available for over ten years.

It’s a fairly unusual tool, though familiar to anyone who played with hacking tools like Cain and Abel decades ago. ARP spoofing can be used to redirect traffic to an attacker controlled server.

arp graphic

A description of ARP spoofing, from Wikipedia

report from 2014 for an attack involving CVE-2014-6332 describes how an attacker might use zxarps well:

“This malware performs ARP spoofing on the network to cause other systems to route their traffic through the infected system, and inject a malicious IFRAME into webpages.”

The ARP spoofing attack can work in both directions. If a web-host is compromised, zxarps can be used to insert malicious code into other sites on the same web-host. A report from way back in 2009 describes attacks that operated this way:

“A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).”

We can see in the batch file that zxarps is attempting to insert Javascript from the URL http://www.mei988[.]com/yy.js.

Potentially infected sites

A quick Google for the malicious Javascript indicates a number of websites serving the malicious code. This may mean the attackers are running zxarps on their network.

iaml research

https://urlscan.io/result/534f9ec9-32c6-4136-b293-88af492b08d7/dom/

All this.. Just to insert adverts for a Casino

Reviewing the injected code indicates it isn’t being used to serve malware, but simply to serve adverts for a Chinese casino:

chinese casino

https://www.hybrid-analysis.com/sample/0f64d813cad17416e6d4d9abbb9f99172932d5f7186829b5cf0a8d254f8df33d?environmentId=100

If you’re reviewing malvertising on a website, and aren’t sure how it got there, this is another technique to consider.

Indicators of Compromise

Malicious files on the fileserver

896B454BCE4C4717511FA6AFE6B18F64
8C19D83FF359A1B77CB06939C2E5F0CB
896B454BCE4C4717511FA6AFE6B18F64
896B454BCE4C4717511FA6AFE6B18F64
C1111792CF99B51CF0E0D6F845D8BA89
AEA42EC19FABBAC5D028EA09B8F339DF
045842D836FEEA2020240141A39014DA
724866003B3ECDD018A4C95935AA6BC9
40B8FFA9148646487B5F220E8399A894
2B8F5A693275102AE1D48FC138685C80
A11A2F0CFE6D0B4C50945989DB6360CD
D48CD20233843163132354CECEEF72AA
4B94FA468513CF0946BBC02B8F61D95B
222.186.11[.]182

You can view these indicators in AlienVault OTX

Chris Doman

About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT