During the past few days we have witnessed an increase in the number of malvertising incidents involving the Magnitude exploit kit. The last time we blogged about this was in mid November 2015 and we attributed the event to the fact that Magnitude EK had just integrated a newer Flash exploit (CVE-2015-7645).

We fast-forward a few months and see that things haven’t changed one bit:

  • Same ad network (Propeller Ads Media)
  • Newer Flash exploit (CVE-2015-8651)
  • CryptoWall

We see the use of “redirectors” which obfuscate the URL to Magnitude:

script

Traffic flow:

Fiddler

Flash exploit: (blocked by Malwarebytes Anti-Exploit)

Magnitude_EK_

CryptoWall: (blocked by Malwarebytes Anti-Ransomware Beta)

MBAR_

While reviewing this attack, we also spotted a similar malvertising attack via another ad network (AdsTerra):

Fiddler2

We reported both campaigns to the respective ad networks.

IOCs:

Ad networks:

  • terraclicks[.]com
  • onclickads[.]net

Redirectors:

  • discount-shop[.]org
  • freewellgames[.]biz
  • onlinewellgame[.]com
  • mov-3s[.]com

Payload (CryptoWall): e5c3fa1f1b22af46bf213ed449f74d40