During the past few days we have noticed a higher than usual number of malvertising attacks pushing the Magnitude exploit kit – which had been relatively quiet – to drop ransomware.
Magnitude EK is one of those exploit kits we don’t hear about as much in comparison to others such as Angler EK or Nuclear EK. Its unique URL pattern makes it easy to spot from the clutter of network traffic captures because it uses chained subdomains typically ending in a shady Top Level Domain like pw (Palau Pacific island).
Some of the ad networks involved in this malvertising campaign include:
- RevenueHits
rvfrm2006.com/adServe/sa?cid=11021-110100501933000000&pid=11021&q=ANUBiH%20-%20Prijava&ap=cmp%3DPOPUNDER clkdeals.com/adServe/getTag?pid=11021&type=inject&cid=110100501933000000&appName=GoHD&q=id195.ea7u.c0.d6177f.53f.j2cb5n.8c974r.xe02c5.j19s72w2gq9.whatplea.pw
- VisAdd
a.visadd.com/internal/reporter?v=2&subid=110100501933000000&format=0&ai=990&ctxu=http%3A//id195.ea7u.c0.d6177f.53f.j2cb5n.8c974r.xe02c5.j19s72w2gq9.whatplea.pw/&fb=false{redacted}
- Propeller Ads Media
onclickads.net/?auction_id=d1586e4cbe6a34cf&zoneid=26518&pbk2=97419d16d0b3957f090d85f852f50a5c6216021660945859924&r=%2Foc%2Fhan
Perhaps this increased activity is due to the fact that Magnitude EK is the third exploit kit to leverage the latest Flash Player vulnerability (CVE-2015-7645) recently patched by Adobe.
CryptoWall was dropped via two separate malware binaries. Malwarebytes Anti-Exploit users were protected against Magnitude EK and never got to see the malware payload.
COMMENTS
Pingback: Magnitude EK usage gains momentum with latest Flash vulnerability | Cyber Security News()
Pingback: Researchers witness surge in malvertising attacks pushing Magnitude exploit kit - Firstpost()
Pingback: Researchers witness surge in malvertising attacks pushing Magnitude exploit kit - Democratsnewz()
Pingback: Researchers witness surge in malvertising attacks()
Pingback: Are You Afraid Of Malware Ads? | Oversite Sentry()
Pingback: London (and Dublin) calling – on a mission in the UK and Ireland | Malwarebytes Unpacked()
Pingback: London (and Dublin) calling – on a mission in the UK and Ireland | Secured Universe News()
Pingback: Malware Crypters – the Deceptive First Layer | Malwarebytes Unpacked()
Pingback: Magnitude EK Malvertising Déjà Vu | Malwarebytes Labs()