• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Massive Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP

Massive Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP

  • Posted on:March 14, 2016 at 11:31 am
  • Posted in:Bad Sites, Exploits, Vulnerabilities
  • Author:
    Joseph C Chen (Fraud Researcher)
1

Top-tier news sites, entertainment portals, and political commentary sites were among the victims of a massive malvertising campaign related to the Angler Exploit Kit. This campaign is targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised ad network in these highly-visited mainstream websites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems.

It is interesting to note that Angler Exploit Kit has been reportedly just updated to exploit additional vulnerabilities. This could imply that its creators are employing a more aggressive strategy to continue to stay ahead of its competitors: we have previously noted that Angler has been the dominant Exploit Kit in 2015. Regardless of which of these players eventually come out on top this year, in the end, it’s still the users and website owners who lose.

Since March 9, there has been an uptick in Angler’s activity in the US, one that seems to slowly wane before ratcheting back up again over the weekend.

figure 1

Figure 1. Exploit Kits’ activity in the US in the last five days

Based on my analysis, once a user visits a page that loads the malicious ad, the said ad automatically redirects to two malvertising servers, the second of which delivers the Angler Exploit kit.

Figure 2

figure 3

Figures 2 and 3. Malvertising servers used in this attack, and corresponding activities in the last 24 hours (UTC)

figure 4

figure 5

Figures 4 and 5. The code redirecting users to Angler Exploit Kit

As of this writing, the exploit kit proceeds to download a BEDEP variant, which, in turn drops a malware we will detect as TROJ_AVRECON.

Users and organizations are advised to make sure that their applications and systems are up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others.

Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.  The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

Related hash for TROJ_AVRECON is as follows:

  • 39600e79131fd35aa89f524306c84dffa870cd9d

Read more about how malvertising works here:

  • Malvertising: When Online Ads Attack

Updated on March 14, 2016, 05:30 PM (UTC-7)
TROJ_EVOTOB has been renamed to TROJ_AVRECON.

Updated on March 15, 2016, 10:10 AM (UTC-7)
Updated to include Trend Micro solutions and revise the statement regarding Angler Exploit Kit’s activity described in Figure 2.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: AD networkAngler Exploit KitBEDEPCVE-2015-8651CVE-2016-0034malvertisementUnited States

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.