Video marketing. Approaches, methods and measures to promote products and services based on video. For web construction, mobile applications, banners, corporate brochures, book covers, layouts etc

Magnitude EK Malvertising Déjà Vu

During the past few days we have witnessed an increase in the number of malvertising incidents involving the Magnitude exploit kit. The last time we blogged about this was in mid November 2015 and we attributed the event to the fact that Magnitude EK had just integrated a newer Flash exploit (CVE-2015-7645).

We fast-forward a few months and see that things haven’t changed one bit:

  • Same ad network (Propeller Ads Media)
  • Newer Flash exploit (CVE-2015-8651)
  • CryptoWall

We see the use of “redirectors” which obfuscate the URL to Magnitude:

script

Traffic flow:

Fiddler

Flash exploit: (blocked by Malwarebytes Anti-Exploit)

Magnitude_EK_

CryptoWall: (blocked by Malwarebytes Anti-Ransomware Beta)

MBAR_

While reviewing this attack, we also spotted a similar malvertising attack via another ad network (AdsTerra):

Fiddler2

We reported both campaigns to the respective ad networks.

IOCs:

Ad networks

:

  • terraclicks[.]com
  • onclickads[.]net
Redirectors

:

  • discount-shop[.]org
  • freewellgames[.]biz
  • onlinewellgame[.]com
  • mov-3s[.]com
Payload

(CryptoWall): e5c3fa1f1b22af46bf213ed449f74d40

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher