We’ve been monitoring a malvertising campaign very closely as it really soared during the past week. The actors involved seem to be the same as the ones behind the self-sufficient Flash malverts/exploits we’ve documented before and reported by security researcher Kafeine (Spartan EK).
One single domain (easy-trading.biz) is relaying all traffic to other ‘ad networks’ and ultimately to the Nuclear exploit kit. That domain still hosts the malicious Flash file (CVE-2015-7645) that it previously used in standalone attacks.
Now instead, it points its traffic directly to Nuclear EK, which also attempts to exploit CVE-2015-7645 as seen in the picture below:
This malvertising campaign receives traffic from multiple sources, including the AdCash ad network which we promptly informed. According to our telemetry, this attack is accounting for about half of all malvertising activity we are seeing now.
Interestingly, most victims from this campaign are outside of the US and UK and mainly in certain parts of Europe and South America. The payload distributed by the exploit kit is a downloader which retrieves several over pieces of malware including ransomware.
The Fiddler traffic capture below shows the “currency trading” website used as a redirector to Nuclear EK.
The redirection to the exploit kit is slightly obfuscated within the second URL sequence (fake advertiser):
The payload from this attack is a downloader which happens to drop two different pieces of ransomware and more malware afterwards (see IOCs below for a more complete list).
We are mostly used to seeing Angler EK in malvertising attacks lately, so this particular instance was interesting due to its high volume and of course the abundance of payloads dropped.
Malwarebytes Anti-Exploit users were protected against this attack.
- IP: 220.127.116.11
- be9705378cb95e2f1834f21eefe1de31 (CryptoWall?)
- e67161f38d42b1119a1794e00ec9dc9c (TeslaCrypt?)
Traffic (links to binary payloads retrieved by the downloader):