Canada and the U.K. hit by Ramnit Trojan in new malvertising campaign
Over the last few days we have observed an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users to the RIG exploit kit.
This particular campaign abuses the ExoClick ad network (ExoClick was informed and took action to stop the fraudulent advertiser based on our reports) and, according to our telemetry, primarily targets Canada and the U.K.. The ultimate payloads we collected during this time period were all the Ramnit information stealer (banking, FTP credentials, etc.) which despite a takedown in 2015 has rebounded and is quite active again.
Pop-under ads and TDS
Pop-under ads are usually triggered when a user clicks on an item on the site they are browsing. In this particular example, clicking on one of the category thumbnails launches the pop-under window behind the main page.
Figure1: Pop-under advert fires up RIG EK (blocked by Malwarebytes)
Figure 2: Web traffic showing redirection chain to RIG EK from see.xxx
Figure 3: TDS redirection based on the user’s geolocation
We noted the same attack pattern with several other adult portals using the malicious TDS mentioned above to load RIG EK:
Figure 4: Web traffic showing redirection chain to RIG EK from justporno.tv
Ramnit going after Canada and the U.K.
The payloads we collected via our honeypot were all the Ramnit Trojan, which is interesting considering the traffic flow from the TDS (Canada, U.K. being the most hits recorded in our telemetry). A report from IBM security researcher Limor Kessem in December 2015 indicated that Canada was the top target with 55% of all Ramnit activity. A follow up report from the same researcher in August 2016 showed a new wave of attacks directed this time at the U.K.
We informed ExoClick and they have been able to locate and terminate the rogue advertiser. Malwarebytes users were already protected against this distribution campaign and the Ramnit Trojan.
RIG EK domains:
RIG EK IPs: