A global malvertising campaign exposing potentially one million users to the risk of being infected with CrypMIC ransomware delivered via the Neutrino Exploit Kit has been shut down, according to researchers.

Cisco’s Talos Security Intelligence and Research Group, which discovered the criminal activity, said the malvertising campaign stretched across North America, EU, Asia-Pac and the Middle East.

Ads were being delivered by the OpenX ad network and appeared on popular niche websites ranging in themes from finance, to general news, rugby and adult sites. The malicious ads were based on impression alone, meaning if the ad displays on the page the redirection occurred, and no interaction from the user was needed.

“The biggest thing is the truly global reach of this campaign itself and hitting a lot of different regions around the world and using many different languages,” said Cisco researcher Nick Biasini.

The specific campaign tracked and analyzed by Talos started at the beginning of August and lasted two weeks. That’s when Biasini, who discovered the campaign, worked with domain registrar service GoDaddy to shut down domains used to redirect traffic to a single server hosting the Neutrino EK located in Russia.

Criminals behind the malvertising campaign likely used stolen credentials to break into existing legitimate GoDaddy domain accounts, Biasini said. From there, hackers created dozens of subdomains for legitimate sites. Next, adversaries used those “clean” domains as fronts to buy ads on the OpenX advertising platform. Cybercriminals then stole content-specific ads on related niche websites and displayed them as their own via OpenX.

Visitors to a legitimate website hosting a malicious ad were exposed to one of the subdomains. Those subdomains, or as Cisco Talos calls them “gates,” are an initial redirection point for exploit kits.

“(Gates) are simply an intermediary between the initial redirection (i.e. compromised website/malicious ad) and the actual exploit kit server that does the probing, compromise, and payload delivery,” Biasini wrote a blog post outlining his research.

Biasini said this allows the attacker to quickly change the actual malicious server without having to change the redirection, which ultimately allows for “longer exploit kit campaigns without having to constantly modify the site or ad that starts the infection chain,” he said.

The primary exploit kit observed used  in the malvertising campaign was Neutrino, however Darkleech, Pseudo Darkleech and EITest were also being used.

Biasini estimates in the two weeks he tracked this most recent campaign one million people were exposed to one those ads, however only about 0.1 percent (1,000) of those viewing the ads were actually exposed to the Neutrino EK. Neutrino then attempted to distribute the CrypMIC ransomware onto the targeted computer.

The malvertising campaign answers some of researchers’ questions about how the Neutrino EK has gained prominence over the past several months and how it is being distributed. Neutrino has been filling the void for the fading Angler EK which was dealt a crippling blow when in June a Russian cybercrime gang that distributed Angler was arrested.

Malvertising is a growing threat, Biasini said. “As more content is moving online the primary revenue source for these sites is online ads. Cybercriminals know this and are increasingly turning away from other more typical ways of pointing traffic to exploit kits and are now looking to malvertising,” he said.

Categories: Malware, Vulnerabilities, Web Security