During the past few days we have noticed a higher than usual number of malvertising attacks pushing the Magnitude exploit kit – which had been relatively quiet – to drop ransomware.
Magnitude EK is one of those exploit kits we don’t hear about as much in comparison to others such as Angler EK or Nuclear EK. Its unique URL pattern makes it easy to spot from the clutter of network traffic captures because it uses chained subdomains typically ending in a shady Top Level Domain like pw (Palau Pacific island).
Some of the ad networks involved in this malvertising campaign include:
- RevenueHits
rvfrm2006.com/adServe/sa?cid=11021-110100501933000000&pid=11021&q=ANUBiH%20-%20Prijava&ap=cmp%3DPOPUNDER clkdeals.com/adServe/getTag?pid=11021&type=inject&cid=110100501933000000&appName=GoHD&q=id195.ea7u.c0.d6177f.53f.j2cb5n.8c974r.xe02c5.j19s72w2gq9.whatplea.pw
- VisAdd
a.visadd.com/internal/reporter?v=2&subid=110100501933000000&format=0&ai=990&ctxu=http%3A//id195.ea7u.c0.d6177f.53f.j2cb5n.8c974r.xe02c5.j19s72w2gq9.whatplea.pw/&fb=false{redacted}
- Propeller Ads Media
onclickads.net/?auction_id=d1586e4cbe6a34cf&zoneid=26518&pbk2=97419d16d0b3957f090d85f852f50a5c6216021660945859924&r=%2Foc%2Fhan
Perhaps this increased activity is due to the fact that Magnitude EK is the third exploit kit to leverage the latest Flash Player vulnerability (CVE-2015-7645) recently patched by Adobe.
CryptoWall was dropped via two separate malware binaries. Malwarebytes Anti-Exploit users were protected against Magnitude EK and never got to see the malware payload.
The first two sites above have been rated accordingly in WOT. New ratings for Propeller Ads Media have been disabled due to “unusual activity” (suspected scorecard manipulation). People try to do that over at WOT all the time, does not work.