We have not seen very many large scale malvertising attacks following the mysterious disappearance of the powerful Angler EK. The ones we do see tend to be related to low quality traffic and usually push the less sophisticated RIG or Magnitude exploit kits.

The last high profile malvertising activity we had caught was on June 7th with a drive-by download incident on Yahoo that leveraged Neutrino EK instead of Angler EK to exploit and compromise unwitting visitors. This was rather unusual and was later confirmed as not just an anomaly, but a transition to Neutrino, precisely around that same time frame.

Attacks have been scarce since then, but we just spotted a malvertising group known for its use of SSL redirectors pushing a malicious ad banner via RTB platform smartadserver. The advert will be benign to non intended targets, making it harder to flag and report.

Flow2Figure 1: a bogus advert displayed on cochesaldia.com (click to enlarge)

We note the same modus operandi we are used to from these actors:

  • domain shadowing
  • free SSL (Comodo)
  • fingerprinting
  • open HTTPS redirect (rfihub)

This fingerprinting code is exactly the same as it was last year, with the exception of a few new vendor names and sandboxes added to the watch list. While the rogue advert performs this fingerprinting, so does Neutrino EK, from within the actual Flash exploit.

The logic is that machines running these tools are either unlikely to get infected or belong to security researchers and therefore should be avoided. For this reason, having Malwarebytes software installed will protect you against this attack by default.

Malvertising has always come in waves with attackers calculating their next move and big target, but the apparent demise of Angler EK has had an immediate impact. While Neutrino EK has picked up the top place among exploit kits, most of the infections we are seeing via drive-by downloads are happening via compromised websites, rather than malicious ads.

It is far easier to hack into regular websites and inject malicious code but the reach in terms of traffic is much smaller compared to having a malicious advert displayed on top tier publishers. A single bad ad can expose hundreds of thousands of people at once, whereas it would take a lot of compromised websites to reach the same exposure level.

We can theorize threat actors are busy reorganizing planning for their next objectives and malvertising is most likely going to remain their weapon of choice to drive traffic to their malicious payloads.


  • Shadowed domain: pixels.prestonchevroletcadillac.net
  • Neutrino EK landing: http://coarsehandedteletrak.sqlonlineeditor.co.uk/permission/1508994/mouth-closer-citizen-filch-tumble-bold-visitor