ARP Spoofing Used to Insert Malicious Adverts

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.

The open file server at http://222.186.11[.]182:9999

The Rar Archive

One of the files on the server, 11.rar, contains this batch script:

The file 哈迪斯技术组ARP工具(Hades Technology Group ARP Tools).bat

Zxarps - An ARP Spoofing Tool

This batch script executes a tool known as zxarps  ( Zxarps is an ARP spoofing tool that has been publicly available for over ten years.

It’s a fairly unusual tool, though familiar to anyone who played with hacking tools like Cain and Abel decades ago. ARP spoofing can be used to redirect traffic to an attacker controlled server.

A description of ARP spoofing, from Wikipedia

report from 2014 for an attack involving CVE-2014-6332 describes how an attacker might use zxarps well:

“This malware performs ARP spoofing on the network to cause other systems to route their traffic through the infected system, and inject a malicious IFRAME into webpages.”

The ARP spoofing attack can work in both directions. If a web-host is compromised, zxarps can be used to insert malicious code into other sites on the same web-host. A report from way back in 2009 describes attacks that operated this way:

“A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).”

We can see in the batch file that zxarps is attempting to insert Javascript from the URL http://www.mei988[.]com/yy.js.

Potentially infected sites

A quick Google for the malicious Javascript indicates a number of websites serving the malicious code. This may mean the attackers are running zxarps on their network.

All this.. Just to insert adverts for a Casino

Reviewing the injected code indicates it isn’t being used to serve malware, but simply to serve adverts for a Chinese casino:

If you’re reviewing malvertising on a website, and aren’t sure how it got there, this is another technique to consider.

Indicators of Compromise

Malicious files on the fileserver


You can view these indicators in AlienVault OTX


Article Link: