Malvertising makes use of the Magnitude exploit kit to deliver ransomware

28741314_sOnline advertisements can be annoying. But what if they spread malware too? The excessive greed of few has lead to the rise of malvertising, advertisements that redirect or lead to malware. A recent Zscalar study revealed that several compromised websites contained ads that led to ransomware.

Compromised websites lead to drive-by-download attacks serving ransomware

In these attacks, the malicious payload is delivered to vulnerable systems using a popular technique known as drive-by-download. Essentially, compromised websites host the Magnitude exploit kit, a community name choosen for an Exploit Kit previously referred to as “Popads, which drops malware into the system using vulnerabilities found in the browser.

The following websites were found to redirect to malicious content:

  • hymedoraw[dot]com/search[dot]php
  • awerdeall[dot]com/search[dot]php
  • index-html[dot]com/
  • joomla-green[dot]com/
  • bestcool-search[dot]com/
  • joyo-search[dot]com/
  • megas-search[dot]com/
  • speeds-search[dot]com/
  • sample-data[dot]com/
  • lazy-summer[dot]com/
  • tundra-search[dot]com/
  • death-tostock[dot]com/
  • adoncorst[dot]com/search[dot]php
  • demo-content[dot]com/
  • enable-bootstrap[dot]com/
  • rospecoey[dot]com/search[dot]php
  • aranfleds[dot]com
  • adoncorst[dot]com/search[dot]php
  • malpithia[dot]com/search[dot]php
  • noutademn[dot]com/search[dot]php

The malvertising networks lead to redirector domains using “302 cushioning” i.e. displaying a 302 HTTP redirection warning, in order to avoid detection.

The “magnitude” of damage

Magnitude delivers a Flash and (highly obfuscated) JavaScript payload, exploiting the MS13-009 integer overflow vulnerability. After compromising the system, a shellcode is dumped which fetches a list of urls within it, which lead to ransomware. In this case, the first link led to CryptoWall 3.0, an updated version of a notorious ransomware family that has made headlines several times.

As stated by Zscalar:

“This is a highly profitable ransomware payload that leverages Bitcoin transactions executed over the Tor Anonymizer to monetize the attack, Threat Actors utilize this method of collection because it can’t be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures.”

As with any ransomware attack, backups are a lifesaver here. We strongly recommend making regular backups of your data and running up to date malware protection to keep malvertising strikes at bay.

Have a nice (malware-free) day!