A recent malvertising campaign leveraging the Angler exploit kit (EK) has hit many top websites, including news sites, entertainment portals, and political commentary sites.
The campaign targeted users in the United States and is said to have exposed tens of thousands of visitors in a few days as malicious ads were delivered by compromised ad networks within these highly-visited mainstream websites. Some of the sites affected by the campaign include msn.com, nytimes.com, bbc.com, aol.com, nfl.com, and others.
Researchers at Malwarebytes discovered two rogue domains involved in the campaign and say that the compromised ad networks include Google, AppNexus, AOL, and Rubicon. Malwarebytes observed both a huge spike in malicious activity over the weekend and discovered that the Angler EK was the main toolkit used in this campaign.
Angler, currently the most popular EK being used by cybercriminals, has received constant updates to ensure that it can target recently patched vulnerabilities, including one in Microsoft Silverlight that was patched in January 2016. Malwarebytes notes that Angler has received other modifications as well lately, including new URI patterns and landing pages.
Researchers at Trend Micro also observed the increase in Angler EK activity in the US, and managed to link it to this malvertising campaign. They also found that users visiting compromised websites were redirected to two malvertising servers, one of which was delivering Angler.
According to Trend Micro, the EK in this campaign downloads a BEDEP variant that drops a malware detected as TROJ_AVRECON. Apparently, while more popular portals affected by this campaign managed to eliminate the bad ad, smaller websites haven’t been cleaned yet and the campaign is still ongoing.
Trustwave researchers observed the increased malicious activity as well. Among the sites affected, they count answers.com, which is ranked 420 Global and 155 in the US on Alexa, as well as zerohedge.com, ranked 986 in the US, and infolinks.com, ranked 4,649 internationally.
According to Trustwave, Angler’s operators managed to grab “brentsmedia[.]com,” an expired domain of a small but probably legitimate advertising company, which provided them with high quality traffic from popular web sites that publish their ads directly. These high-profile sites were seen fetching a JSON file that referred to a suspicious, heavily-obfuscated JavaScript file.
The code in this file was searching for a range of anti-virus products and lead to the Angler EK landing page if none was found. After successfully infiltrating the end-user computer, Angler was observed dropping both the Bedep Trojan and the TeslaCrypt ransomware.
The malicious ads related to this campaign were delivered through two affiliate networks, namely adnxs and taggify. The brentsmedia[.]com domain expired in January but was re-registered again on March 6 with a different registrant.
Researchers suggest that the people behind Angler are either doing this directly, or they are acquiring some high-quality TDS services from a fellow criminal. They also say that this might be a new trend, where domains nearing expiration are “stalked” by cybercriminals, since two more expired domains are exhibiting the same characteristics: “envangmedia[.]com” and “markets.shangjiamedia[.]com.”
“If one was to take a wild guess, one might think that they actually are watching for any domains containing the word “media” that have recently expired. Whether or not this will turn into a new trend, it’s certainly an interesting development in the world of Malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat,” Trustwave researchers say.
“Concerned consumers should take note that the prescription for avoiding these malware infections is basic security hygiene,” Tim Erlin, Director of IT Security and Risk Strategy for Tripwire, told SecurityWeek. “This malware campaign actively avoids systems with common security software installed. The malware itself requires vulnerable versions of software to exploit, so installing security updates can protect you.”
Users and organizations should make sure that the applications and system software on their devices is kept up to date and that they have installed the latest security patches available for them, ensuring that Angler cannot exploit recently patched security flaws in software such as Adobe Flash Player or Microsoft Silverlight.
Cybercriminals have used exploit kits in malvertising campaigns to spread their malicious applications in the past. Last June, a massive campaign hit Web users in Europe and the U.S., while the Yahoo! advertising network was targeted by a similar attack in August.