Emol.com (El Mercurio On-Line) is a very popular information portal ranked 5th most visited site in Chile. El Mercurio, is a conservative Chilean newspaper with a troubled past including funding from the CIA in the early 1970s to undermine the Socialist government of Salvador Allende.

In more recent times, Emol was serving a malicious advert that automatically exposed visitors to the site to the Angler exploit kit. The infection came from ad platform adXion, whose client list includes emol.com, Yahoo Chile and others.

flow

Traffic flow:

  • Publisher: emol.com
  • Ad platform: pn1.adxion.com/www/delivery/adifr_sphx.php?num={redacted}www.emol.com&rr=48917368
  • Fraudulent server: experienced.robeotics.com/provider/vicetpresident/ips.js
  • Angler EK landingcollinvitticumuliform.eventledsigns.com/WwwsTF/675902-PqtoHSXm-thBjx-OhwpDiUU-.php

Shadowed domain:

  • Hostname: experienced.robeotics.com
  • IP address: 188.227.18.113
  • Infrastructure: nginx

Main domain (parked):

  • Hostname: robeotics.com
  • IP address: 184.168.221.52 (GoDaddy)
  • Infrastructure: Microsoft-IIS/7.5

This attack shares some commonalities with others we have observed more recently that leverage the same kind of redirector to Angler. We have notified adXion about this abuse of their platform.

We recommend that people keep their machines up to date and use an exploit mitigation tool such as Malwarebytes Anti-Exploit to block drive-by download attacks via malvertising. Angler EK, like many other exploit kits has predominantly been delivering ransomware infections and it goes without saying that prevention is better than reaction.