Malvertising Via Skype Delivers Angler

A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack.

An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users.

Skype Ad

Skype Call Ad

Skype Ads

This did not really bother us much until last night, when we saw an unusual spike from our charts due to a malvertising campaign via the AppNexus ad platform (adnxs.com).

Spike

URLs

One of the platforms for infection that we observed was Skype. It was interesting to note that having the ad displayed in a platform external to the browser did not mean that the browser was no longer accessible and thus the user could no longer be affected.

http://ams1.ib.adnxs.com/if?e=wqT_3QLNBPBCRA[...]uAQA&s=1d86c6[...]&referrer=skype.com
    led to http://dwuplaszczyznowosc.checkcashingbridgeport.com/boards/index.php
http://ams1.ib.adnxs.com/if?e=wqT_3QLVBPQAAU[...]uAQA&s=a9adea[...]&referrer=skype.com
    led to http://staraly1savage.bendovr.com/forums/viewtopic.php

This is not the first time infections were launched via Skype though, previous reports already mentioned the Skype scenario in forums and security news.

This particular campaign ended up redirecting to the Angler exploit kit.

Typical browser visits were there, of course, which means that this attack was not targeted towards Skype users.  For a user that used a browser, here’s an example of the infection chain that we have observed:

  • User visited ebay.it
  • Ebay.it pulled an ad from ad-emea.doubleclick.net
  • Doubleclick.net pulled an ad from fra1.ib.adnxs.com
  • Adnxs.com redirects to eleison.virtualrealitybros.com which is the Angler exploit kit landing page
  • Angler exploit kit downloads and installs a ransomware called TeslaCrypt

A machine infected with TeslaCrypt will display this message:

TeslaCrypt

Other popular websites that redirected to adnxs.com were gaming-related sites (wowhead.com, gsn.com, zam.com, wikia.com), news sites (dailymail.co.uk) as well as internet portals like msn.com.

This campaign seemed to have ended quite fast. The good thing is, during the active campaign, our users are protected against this threat as we detect Angler as Exploit:JS/AnglerEK.D.



Articles with similar Tags