Experts at Fox-IT revealed in a blog post the Internet firm AppNexus is the origin of a new “malvertising” campaign, which is based on the Angler Exploit Kit to redirect visitors to malicious websites serving the Asprox malware.
“Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules,” Fox-IT said. “This history and current events show Asprox is still actively being developed and used.”
“Over the last week, from Tuesday august 19th until Friday august 22nd, the Security Operations Center of Fox-IT’s ProtACT service observed multiple high-profile websites redirecting their visitors to malware. These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.” states the blog post.
“Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser,”
“All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.” explained the researchers.
“The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data,” Fox-IT researchers said. “We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider.
Malvertising campaigns are becoming even more sophisticated and insidious in the last years, the current malvertising schema are quite deceptive and noticeable only an the client side.
(Security Affairs – malvertising, cybercrime)