We have caught a new malvertising campaign on the PopAds network launching the Magnitude exploit kit via pop-under ads.

A pop-under is an ad window that appears behind the main browser window and typically remains open until the user manually closes it. Unsuspecting victims running outdated versions of the Flash Player were immediately infected with the CryptoWall ransomware.

This campaign started around January 1st with ads mostly placed on various adult and video streaming sites and lead to an increase in Magnitude EK activity.

Infection flow overview

  1. serve.popads.net/servePopunder.php?cid={redacted}
  2. {redacted}.name/
  3. Magnitude EK domain

Magnitude EK overview

fiddler

Landing page

Magnitude_Landing

Flash exploit (CVE-2015-7645)

Flash

  • MD5 (Original)bc0939c7cb7d85b6789fbd6a160a4470
  • MD5 (Decompiled)b91d14a85576f9c0d2864f802f8a039b

According to our data, this attack mainly targeted European users:

graphic

CryptoWall 4 infection

Once a system is infected, personal files are encrypted and usable as indicated in the dreaded CryptoWall ransom page:

ransompage

To recover pictures, documents and other import files, users are asked to pay in order to receive a “decryption” key.

ransom

Malware MD5c0f8d8d2bf9a70cc69d641ed0263f77e

Prevention

Ransomware is one particular type of malware where prevention and backups are more important than ever. Since this particular attack relies on web exploits to infect the machine, it is crucial to keep your browser and related plugins up to date.

You may also want to consider disabling or removing the Flash Player altogether since it has suffered a high number of zero-day exploits in recent history (even the latest version was vulnerable).

Malwarebytes Anti-Exploit users were already protected against this exploit kit and never even saw the CryptoWall payload.

MBAE_Magnitude

We have notified the ad network and hope they can shutdown this campaign.