Big-name websites were hit with a cunning malvertising campaign over the weekend that attempted to sneak TeslaCrypt ransomware on computers vulnerable to the potent Angler Exploit Kit.
Top sites running the malicious ads included The New York Times owned NYTimes.com, Answers.com and AOL.com, according three separate security firms that spotted a spike in malvertising over the weekend.
According to researchers at Trustwave, thousands of sites were impacted by the malicious advertisements and link to a webpage that contained Angler EK, which probes browsers for vulnerabilities and attempts to installs malware.
For anyone with a vulnerable browser, attackers installed either TeslaCrypt ransomware or the Bedep Trojan, which opens a backdoor on PCs so attackers can install a variety of malicious programs.
Malvertising campaigns were also confirmed by TrendMicro and Malwarebytes but it’s unclear if the three malicious ad campaigns are linked.
Karl Sigler, threat intelligence manager at Trustwave, told Threatpost that attackers behind the malware use a sophisticated scheme to trick ad networks to run their malicious ads. The scheme included acquiring the domains of recently expired web addresses previously owned by marketing and advertising firms.
“Ad networks vet the companies that run ads on their networks,” Sigler said. “Those behind this malvertising campaign went to great lengths to appear legitimate,” he said. The two ad networks that distributed the ads were identified as Adnxs and Taggify. Adnxs immediately removed the ads from its network and Taggify didn’t reply to Trustwave when alerted, Sigler said.
One of expired domain used by attackers was brentsmedia[.]com, which according to Trustwave, was previously owned by BrentsMedia, a now shuttered online marketing company. Other domains used were envangmedia[.]com and markets.shangjiamedia[.]com, which both were previously owned by media companies.
According to Trustwave’s report on the malicious ads, it identified one of the rogue advertisements when it noticed several high profile sites that were fetching a suspicious JSON files hosted on “brentsmedia[.]com.
It turns out the JSON file, or JavaScript Object Notation, requested a JavaScript file with 12,000 lines of code. That’s about 11,000 more lines of code than a typical JavaScript file would contain, Sigler said. “Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation,” wrote the authors of the Trustwave research report, Daniel Chechik, Simon Kenin and Rami Kogan.
TrendMicro estimates this wave of malware may have “affected tens of thousands of users in the last 24 hours alone.”
“Whether or not this will turn into a new trend, it’s certainly an interesting development in the world of malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat,” wrote Trustwave researchers.