Security researchers have discovered an advertising campaign which has been placing malicious advertisements on very popular websites both in the US and internationally.
“answers.com”, “zerohedge.com” and “infolinks.com” are just three of the big names which were recently found by the malware experts. These websites redirect visitors straight to the Angler exploit kit through a malicious advertising campaign, and by using malicious advertising that has already become part of our daily lives.
As long as these websites are involved in the infection process they are, much like infected clients, victim of Malvertising. At the same time, the only “crime” in this case, is being popular and having high volumes of traffic going through these websites every day. Regarding the technical matter, those who are familiar with the Angler exploit kit, know that it never ceases to innovate and come up with new ideas for infecting as many victims as possible.
Nowadays, people are used to the “standard” Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits’ landing page. However, this time it looks like an experienced hacker has acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes. This provides high quality traffic from popular websites which publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.
Over the past few days, the researchers noticed that several high profile websites were fetching a JSON file which is hosted on “brentsmedia[.]com” as part of their process for pulling advertising content from their ad providers.
This JSON file refers to a suspicious, heavily-obfuscated JavaScript file with more than 12,000 lines of code. The suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation.
In case the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware.
The experts claim that the malicious “ads” were delivered through at least two affiliate networks: adnxs and taggify. Most probably, the people behind this operation are trying to ride on the reputation the domain had and abuse it to trick ad companies into publishing their malicious ads.
Nevertheless, some questions remained unanswered: are the people behind Angler doing this directly, or are they acquiring this from a fellow criminal? Is this a lucky catch for them, or a new trend of “stalking” domains nearing expiration?
While making their analysis, the experts noticed two more expired “media”-related domains exhibiting the same characteristics as brentsmedia[.]com: “envangmedia[.]com” and “markets.shangjiamedia[.]com”, and looking up the IP address of brentsmedia shows that another similarly named domain has already been registered to point to an IP address.
No one can be certain if the above-mentioned will lead to a new trend or not, though it is absolutely certain that Malvertising is reaching new heights every day.
