Security researchers from Malwarebytes have discovered a new malvertising campaign targeting visitors of several adult websites, spreading the Ramnit trojan and focusing on users from Canada and the UK.
According to the security firm, the malicious ads included in this malvertising campaign belonged to advertising network ExoClick, who was notified and promptly identified and terminated the rogue advertiser’s account and ads.
Malwarebytes researcher Jérôme Segura said the malvertising campaign hit mainly adult portals, but did not specify which ones, except See.xxx.
Malvertising campaign leveraged pop-under ads
According to Segura, the malvertising campaign didn’t leverage classic advertising banners, but pop-under ads. These are adverts that load in a new, unfocused browser window, while the original browser window remains focused.
Malicious code contained in those fullscreen pop-under ads redirected users to a TDS (Traffic Distribution System), which then, through multiple other redirections, sent users to the landing page of an instance of the RIG exploit kit.
Geolocation filters were in place, as only certain users were selected, mainly from Canada and the UK.
Malvertising led users to RIG EK spreading Ramnit
These filters are consistent with the final payload, which was the Ramnit banking trojan, known to have targeted users in these two countries in the past.
In its heyday, Ramnit operators had heavily targeted Canadian users, as their banking trojan was equipped with the tools and features to steal credentials and money from Canadian banks.
In the spring and summer of 2016, when the trojan returned with what researchers called Ramnit v2, the trojan added support for UK banks.
The Ramnit trojan has an interesting history, which we detailed in a previous article. The trojan’s botnet survived a sinkhole attempt by Europol in early 2015 and has been slowly returning to its previous numbers.
Besides stealing credentials for online banking portals, the Ramnit trojan also behaves like an infostealer and dumps passwords from browsers and other applications.
Bleeping Computer has reached out to Segura for a list of adult portals where the malvertising campaign was spotted.