Ad Serving Platform Used By PUA Also Delivers Magnitude Exploit Kit

Last month, we wrote about a malvertising campaign showing that ad platforms, even on non-browser applications, are susceptible to malware attacks that push users towards Angler exploit kit (EK).

Last week, we noticed yet another malvertising campaign, but this time, pushing users towards Magnitude exploit kit.

Magnitude EK Hits 2016.03.04

Magnitude URLs

We noticed the following ad platforms being used in redirection to Magnitude EK.

www.terraclicks.com 
bestadbid.com
onclickads.net
popped.biz
click2.danarimedia.com
onclickads.net
ads.adamoads.com

An interesting observation we found with one of the ad platforms, click2.danarimedia.com, is that, it is also being used by some distribution of Conduit Toolbars, which is considered “potentially unwanted” as they usually come bundled with free software and forces changes to browser settings.

conduit_properties

conduit_strings_text

The redirection from our upstream from the same ad platform to Magnitude EK is as below.

magnitudeek_redirection_20160304

This proves that we should not underestimate the power of Potentially Unwanted Applications (PUA). Because even if a program started as potentially unwanted, it doesn’t mean that attackers could not take advantage of it in delivering other threats to the user’s machine. It is very possible that users could get redirected to exploits kits and eventually end up with a malware infection, which is for this particular exploit kit, is a CryptoWall ransomware.

cryptowall

SHA1: b9bf3131acae056144b070c21ed45623ce979eb3

Our users are protected with these threats through the following detections:

  • Exploit:JS/MagnitudeEK.A
  • Exploit:SWF/Salama.H
  • Trojan:W32/Crowti.A!DeepGuard
  • Application:W32/Conduit.B


Articles with similar Tags