Connect with us

Hi, what are you looking for?


Malware & Threats

Massive Malvertising Campaign Hits Users with Angler Exploit Kit

Researchers with Raytheon|Websense have identified a massive malvertising campaign that has hit Web users in Europe and the U.S.

Researchers with Raytheon|Websense have identified a massive malvertising campaign that has hit Web users in Europe and the U.S.

The attack is focused on users browsing several well-trafficked sites, including CNN Indonesia, the official website of Prague Airport, Detik, AASTOCKS, RTL Television Croatia and the Bejewled Blitz game on Facebook. According to the researchers, the attack leads users to the Angler Exploit kit, which leverages a vulnerability in Adobe Flash Player (CVE-2015-3090) to infect users with the Bunitu Trojan.

“Revive Adserver is an open source advertizing technology formerly known as OpenX Source,” the researchers noted in a blog post. “It allows businesses to host and manage their own advertizing services rather than relying on third party services, and it is common for multiple websites to use the same Revive Adserver script. We have seen compromised Revive Adserver scripts used in malvertising in the past, and seemingly this continues to be a target of interest for cybercriminals. The code injected into the compromised Revive Adserver scripts in this campaign have been seen to lead to the very prevalent Angler Exploit Kit.”

The injected code is not always sent when the script is requested, and the Angler kit will only serve the malicious exploit code once per IP address in a 24-hour period. Since April, researchers have compromised Revive Adserver scripts being used by several sites, some of which only seem to contain the injected code for 24 hours, while others have remained compromised for weeks, the researchers found.

Once the Bunitu Trojan is dropped on the victim’s machine, it turns the system into a zombie computer. The malware drops and loads a DLL within its own process that opens two random ports on the infected machine for a SOCKS5 proxy and a HTTP proxy. It also has back-up infrastructure in case the hard-coded call home server is not available. 

“Ad networks are pervasive and ads are the economic backbone of the internet – hence very juicy targets,” explained Rajiv Motwani, Raytheon|Websense director of security research. “Like any other piece of code, ad networks can also be exploited and we have seen a large uptick in malvertising over the last couple of years. Once an ad network is compromised, an attacker could serve malware to any subset of visitors to the sites using that ad network and even use very precise targeting of the victims depending on the functionality made available by the ad network, which is typically good.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...