Online ad network AppNexus has again been identified at the core of another malvertising campaign using the Angler Exploit Kit to redirect visitors to sites hosting the Asprox malware.
Busy, popular websites including TMZ, Photobucket and Java.com in recent days have been serving malicious advertisements to visitors as part of this campaign, security company Fox-IT said.
“These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware,” Fox-IT said, adding that the redirects peaked between Aug. 19 and 22.
Angler is among a menu of exploit kits available on underground forums and used in campaigns to own websites and redirect victims off to sites hosting banking malware and other types of malicious code. AppNexus, in May, was serving malicious ads targeting Microsoft’s Silverlight platform. Streaming film and television service Netflix runs on Silverlight, and because of its popularity, hackers have been loading kits such as Angler with Silverlight exploits.
In the current campaign, the kit checks whether the victim’s browser supports a vulnerable version of Java or Flash, in addition to Silverlight, and then embeds and exploit that initiates a download of Asprox, Fox-IT said, which added that it has contacted AppNexus informing them of the issue.
Asprox is a spam botnet that recently has been modified for click-fraud; with this modification, the criminals using it have been spreading the malware on several fronts, including email attachments in addition to exploit kits.
“Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules,” Fox-IT said. “This history and current events show Asprox is still actively being developed and used.”
Once a visitor lands on a site hosting the malicious ad, their browser is redirected in the background to ads[.]femmotion[.]com, which then redirects to the exploit kit on a couple of different domains, the gloriousdead[.]com and taggingapp[.]com.
“All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.”
Fox-IT points out that the hosting websites likely have no idea they were serving malicious ads. Ad networks rely on a process known as retargeting where ad and content providers leave tracking data behind so that subsequent advertisers don’t leave the same ad content.
“The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain ad provider is retargetted from the original advertisement content on the website to the modified or personalized data,” Fox-IT said. “We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider.”