Malversting campaigns are becoming a serious problem for web users, cyber criminals are exploiting this practice to infect wide audience of users that visit most popular websites. In January security experts at Cyphort firm discovered a malvertising campaign hit numerous websites, including the Huffington Post and LA Weekly, the attackers exploited the AOL ad network to run the attack.
This time cyber criminals served the malicious advertisement through the ad provider TrafficHaus, the attack was discovered by Malwarebytes last Friday and promptly taken down in more or less 24 hours.
“We identified a malvertising campaign taking place on adult site xHamster (Alexa rank #68, est. 514 million visitors/month according to SimilarWeb) that abused ad provider TrafficHaus and Google’s URL shortener service” states a blog post published by Malwarebytes.
The attack chain starts a malicious advertisement using a shortened Google URL that redirect victims to the a domain serving the popular Angler Exploit Kit, in the following image is visible the source code behind a legitimate advertising (in blue) and the malicious code (in red).
The threat actors exploited the URL shortener to generate new links and evade blacklists, they used Google URL due to its reputation. The page hosting the malicious Bedep malware.
“The Trojan may arrive through a website hosting the Angler exploit kit. The exploit kit takes advantage of Flash vulnerabilities and loads the Trojan into memory. As a result, the Trojan may not create files or registry entries on the computer. ” as explained by the experts at Symantec.
Bedep acts as a backdoor in the infected machine that is used to download further malicious payload, including the Magnitude Exploit Kit.
“With most [exploit kits] the user browses to a site and gets exploited via a drive by download,” said Jerome Segura, senior security researcher at Malwarebytes. “In this case, Bedep is generating traffic only visible via network traffic tools like Fiddler or Wireshark (no browser is open or visible to the end user). Despite that there is no visible GUI, Bedep loads malicious URLs that trigger the [exploit kit] exploitation.”
There is no official news regarding the number of visitors of the xHamster affected by the malversting campaign.
(Security Affairs – malversting, xHamster)