Malicious advertising attacks (malvertising) have been plaguing mainstream sites and their visitors a lot these past few years. While some are easy to spot and get rid of, others tend to be much more sophisticated and hard to shine light on. This past Saturday, we discovered a malicious advert that was displayed on huffingtonpost.com and that was used to deliver the Cryptowall ransomware via a Flash exploit.
During our malware investigations, we are often learning about new techniques or ways the bad guys try to bypass us. But sometimes, we also experience cultural differences or discover some new things about people or countries. Today is such as case, with a bit of a geography lesson brought to us by the RIG exploit kit which takes us to Croatia.
This Pirate Bay clone is actively pushing the Nuclear exploit kit with an iframe and will infect vulnerable visitors via drive-by download attacks. We’ve also detected several WordPress sites injected with the same iframe.