Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malvertising Campaign Hits Top Global Websites

A recent malvertising campaign leveraging the Angler exploit kit (EK) has hit many top websites, including news sites, entertainment portals, and political commentary sites.

A recent malvertising campaign leveraging the Angler exploit kit (EK) has hit many top websites, including news sites, entertainment portals, and political commentary sites.

The campaign targeted users in the United States and is said to have exposed tens of thousands of visitors in a few days as malicious ads were delivered by compromised ad networks within these highly-visited mainstream websites. Some of the sites affected by the campaign include msn.com, nytimes.com, bbc.com, aol.com, nfl.com, and others.

Researchers at Malwarebytes discovered two rogue domains involved in the campaign and say that the compromised ad networks include Google, AppNexus, AOL, and Rubicon. Malwarebytes observed both a huge spike in malicious activity over the weekend and discovered that the Angler EK was the main toolkit used in this campaign.

Angler, currently the most popular EK being used by cybercriminals, has received constant updates to ensure that it can target recently patched vulnerabilities, including one in Microsoft Silverlight that was patched in January 2016. Malwarebytes notes that Angler has received other modifications as well lately, including new URI patterns and landing pages.

Researchers at Trend Micro also observed the increase in Angler EK activity in the US, and managed to link it to this malvertising campaign. They also found that users visiting compromised websites were redirected to two malvertising servers, one of which was delivering Angler.

According to Trend Micro, the EK in this campaign downloads a BEDEP variant that drops a malware detected as TROJ_AVRECON. Apparently, while more popular portals affected by this campaign managed to eliminate the bad ad, smaller websites haven’t been cleaned yet and the campaign is still ongoing.

Trustwave researchers observed the increased malicious activity as well. Among the sites affected, they count answers.com, which is ranked 420 Global and 155 in the US on Alexa, as well as zerohedge.com, ranked 986 in the US, and infolinks.com, ranked 4,649 internationally.

According to Trustwave, Angler’s operators managed to grab “brentsmedia[.]com,” an expired domain of a small but probably legitimate advertising company, which provided them with high quality traffic from popular web sites that publish their ads directly. These high-profile sites were seen fetching a JSON file that referred to a suspicious, heavily-obfuscated JavaScript file.

Advertisement. Scroll to continue reading.

The code in this file was searching for a range of anti-virus products and lead to the Angler EK landing page if none was found. After successfully infiltrating the end-user computer, Angler was observed dropping both the Bedep Trojan and the TeslaCrypt ransomware.

The malicious ads related to this campaign were delivered through two affiliate networks, namely adnxs and taggify. The brentsmedia[.]com domain expired in January but was re-registered again on March 6 with a different registrant.

Researchers suggest that the people behind Angler are either doing this directly, or they are acquiring some high-quality TDS services from a fellow criminal. They also say that this might be a new trend, where domains nearing expiration are “stalked” by cybercriminals, since two more expired domains are exhibiting the same characteristics: “envangmedia[.]com” and “markets.shangjiamedia[.]com.”

“If one was to take a wild guess, one might think that they actually are watching for any domains containing the word “media” that have recently expired. Whether or not this will turn into a new trend, it’s certainly an interesting development in the world of Malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat,” Trustwave researchers say.  

“Concerned consumers should take note that the prescription for avoiding these malware infections is basic security hygiene,” Tim Erlin, Director of IT Security and Risk Strategy for Tripwire, told SecurityWeek. “This malware campaign actively avoids systems with common security software installed. The malware itself requires vulnerable versions of software to exploit, so installing security updates can protect you.”

Users and organizations should make sure that the applications and system software on their devices is kept up to date and that they have installed the latest security patches available for them, ensuring that Angler cannot exploit recently patched security flaws in software such as Adobe Flash Player or Microsoft Silverlight.

Cybercriminals have used exploit kits in malvertising campaigns to spread their malicious applications in the past. Last June, a massive campaign hit Web users in Europe and the U.S., while the Yahoo! advertising network was targeted by a similar attack in August.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.