The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK

Share with your network!

Most online ads are displayed as a result of a chain of trust, from the publishers to the malicious advertiser via ad agencies and/or ad networks.

For “traffers” (that is, actors bringing traffic to a malicious destination; for example, exploit kits) that rely on malvertising, one of the goals is to gain access to a high-profile ad network such as DoubleClick, Bing Ads, AdTech or AppNexus. A reputable, high-profile ad network provides traffers with access to higher-quality traffic, and the more reputable an ad network appears, the easier it is for traffers to reach this target traffic.


Uncovering domain shadowing

In early November, one of those high-profile ad agencies appeared in Proofpoint sensors as “referrer” to Angler exploit kit. Further investigation by Proofpoint researchers determined that the creative in question (ad banners) was pointing to content from https://ads.mikeholt[.]com and landing at www.mikeholt[.]com.".

Creative served by the abused ad agency

Figure 1 Creative served by the abused ad agency (click to enlarge)

Fake online ad for an authentic Website

Figure 2 A fake online ad for an authentic Website, displayed using a shadowed domain of that Website

A disparity in the SSL certificate used by both servers is the first hint that something is suspicious about this ad.

Shadowed domain SSL certificate vs legitimate owner's domain SSL certificate

Figure 3 Shadowed domain SSL certificate vs legitimate site owner's domain SSL certificate

Comparison of the SSL certificates for two domains is a clue that this could be a case of “domain shadowing” [3]. 

Domain shadowing is a technique for generating malicious subdomains from a legitimate domain, typically using stolen registration credentials for the domain owner. With the stolen credentials, the threat actor can create a large number of fraudulent subdomains (for example, ads.mikeholt[.]com) below the legitimate domain mikeholt[.]com. (The domain owners for these examples were contacted as part of this investigation and alerted to the fact that their registration credentials have probably been compromised.) The attacker can then configure servers on the fraudulent subdomain to perform filtering and redirection actions that pull in their preferred exploit kit.


Multiple parallel campaigns

Further investigation identified other campaigns employing other compromised domains and abused ad agencies. For example:


Figure 4: Example of ad with stolen creative linking to malicious domain


Figure 5: SSL certificate details for compromised domain




An exploit kit out of nowhere

Researchers who have the opportunity to replay this attack in a controlled environment will not be able to see much without SSL man-in-the-middle capabilities (Fig 6); instead the attack will appear to be Angler EK materializing ‘out of thin air’. 

Traffic captured without MITM capabilities

Figure 6: Traffic captured on the 2015-11-21 without MITM capabilities


A look in the SSL tunnel

One of the reasons that malvertising is appealing to threat actors is that the ad agency / network itself performs a significant portion of the targeting, including geo, browser and other options. However, the malicious ad server also includes filtering settings, and as a result non-targeted clients (such as known IP address, wrong country) will receive harmless ad code. 

Figure 7: Harmless code served by the server if the client does not match the filtering options or if the campaign is on hold

When a targeted client visits a site served by the infected content delivery network (CDN), the attack follows these steps:

  1. Send a post to filter proxied traffic.
  2. A global JavaScript reads the results of the filtering;
  3. If the reply is as expected, decode a bogus GIF (Fig. 8).
  4. Check the system using two information disclosure bugs in Microsoft Internet Explorer to avoid researchers, sandboxes and some security products.
  5. Abuse an HTTPS open redirect by DoubleClick. [2]
  6. Land the browser on Angler EK without a referrer.

Malicious code sent by fake ad server, including fake GIF image file
Figure 8: Malicious code sent by the fake ad server, including fake GIF image file

Decoding the fake GIF produces a JavaScript function (Fig. 9). 

Encoded JavaScript function inside a GIF

Figure 9: Encoded JavaScript function inside a "GIF"


Client filtering

The decoded JavaScript function leverages two information disclosure bugs in Internet Explorer in order to filtering potential victims. (Fig. 10)

Decoded fake GIF showing redirect and additional filtering

Figure 10: Decoded fake GIF showing redirect and additional filtering

In order, these checks are:

  • A variation of a technique used by Magnitude and Angler EKs and is used to filter the client by certain security products.
  • A MimeType check in order to filter certain shellex associations, including .py, .pcap and .saz (Fig. 10).

Both of these bugs were reported to Microsoft in May.

All replay attempts of this threat revealed fileless Angler EK [4] [5] threads loading Bedep in memory. The Bedep in action is "buildId" 1926. Over the course of November, Proofpoint researchers have observed this Bedep version loading a variety of malware payloads including Fileless Ursnif [4], Ramnit, Blowcrypt, some Vawtrak campaigns 13 and 60 [7], and most recently Reactor Bot.



Malvertising is by now a well-known attack vector and organizations, web sites, and ad network operators have adapted their defenses to detect and defend against it. As this example, shows, however, threat actors are also evolving their techniques, using more sophisticated attack chains that make it more difficult for even diligent ad agencies and ad network operators to detect malvertising in their ad streams. These adaptations will enable malvertising to remain an effective malware distribution method for months to come.











Indicators of Compromise (IOC’s)


Shadowed domain


Shadowed domain


Shadowed domain


Shadowed domain


Shadowed domain


Shadowed domain

POS Reco “Fileless” Ursnif









Vawtrak 13



Vawtrak 60



Reactor Bot




Vawtrak C&C


Vawtrak C&C


Bedep Domain


Ursnif C&C


Angler EK


Reactor Bot C&C


ET signatures:

(NOTE: older rules would fire on older traffic)

2018558 || ET TROJAN Win32/Ramnit Checkin

2019678 || ET TROJAN Ursnif Checkin

2019400 || ET TROJAN Possible Bedep Connectivity Check

2021418 || ET TROJAN Bedep HTTP POST CnC Beacon

2022141 || ET CURRENT_EVENTS Angler encrypted payload Nov 23

2811284 || ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit M2

2814948 || ETPRO CURRENT_EVENTS Possible EK Redir SSL Cert

2815003 || ETPRO CURRENT_EVENTS Angler EK Landing Nov 18 2015

2815071 || ETPRO CURRENT_EVENTS Possible Angler EK Payload Nov 23 2015

2814630 || ETPRO CURRENT_EVENTS Possible Angler EK IE DHE Post M2

2807957 || ETPRO TROJAN Win32/TrojanDownloader.Blocrypt Checkin

2814112 || ETPRO TROJAN Vawtrak HTTP CnC Beacon

2813060 || ETPRO TROJAN Vawtrak Retrieving Module




Subscribe to the Proofpoint Blog