Our systems have detected infections coming from popular adult site Xtube, ranked #780 in the US and with an estimated 25 million visits.

Unlike other attacks we have seen in recent times, this one does not use malicious ads (malvertising) to compromise users.

Instead, it injects a malicious snippet of code directly into Xtube itself (dynamic, on-the-fly injection) with rotating domains:

insertion2

The jsloggery.com domain serves as a redirector to an Exploit Kit landing page:

redir2

Here’s a list of redirectors we have observed so far:

hxxp://adstager.com/index.php
hxxp://adversal2.com/index.php
hxxp://adlivecity.com/index.php
hxxp://jsloggery.com/

The final step is the Neutrino Exploit Kit which promptly fires a Flash exploit:

swf2

exploit

The payload is detected by Malwarebytes Anti-Malware as Trojan.MSIL.ED.

Here is a summary of the attack flow:

Fiddler2

Malwarebytes Anti-Exploit users are protected from this threat.

xtubeMBAE

We have warned the administrators at Xtube about this problem and will update the post as soon as we get more details.