Malvertising Leads to Magnitude Exploit Kit, Ransomware Infection

Magnitude exploit kit malvertising ransomware cryptowall

Researchers from ZScaler have uncovered a new scheme where criminals are using malversting to redirect to pages hosting the Magnitude exploit kit and the CryptoWall ransomware.

Criminals are injecting malicious redirect code into advertisements in order to route user traffic toward sites hosting the Magnitude exploit kit, which, in turn, infects those users with strains of file-encrypting ransomware.

Magnitude predominately relies on drive-by-download attacks in which it infects its victims by exploiting vulnerable browser plug-ins. Before infection via Magnitude, ZScaler researchers explained in a recent analysis, attackers are using malicious ads, in a scheme commonly known as malvertising, to direct users through “302 cushioning” to sites hosting the Magnitude exploit kit.

Cushion attacks — also known as 302 cushioning — attempt to evade intrusion prevention and detection systems by displaying a 302 HTTP redirection warning. In this way, when the user lands on the fraudulent 302 page, his browser is automatically redirected to a maliciously crafted web page. In this case, the malicious website plays host to the Magnitude exploit kit.

Once the user interacts with an infected site, Magnitude delivers a malicious Flash payload as well as a highly obfuscated JavaScript payload exploiting MS13-009, an integer overflow that was fixed by a cumulative Internet Explorer update issued in February 2013.

Generally, this is the point where Magnitude delivers its malware payload. However, in this attack the criminals have added a new step wherein Magnitude dumps a shellcode payload onto its victims. The shellcode fetches a list of URLs using the the Windows library urlmon.dll and uses the first URL to infect users with CryptoWall 3.0.

“This is a highly profitable ransomware payload that leverages Bitcoin transactions executed over the Tor Anonymizer to monetize the attack,” wrote ZScaler researchers Edward Miles & Chris Mannon. “Threat Actors utilize this method of collection because it can’t be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures.”

The threat infrastructure for this attack is hosted primarily in Germany.

Most of the malvertising activity originates from “click2.systemaffiliate.com,” which is operated by the ad network SunlightMedia. SunlightMedia believes it has isolated and blocked the bad ad.

Suggested articles