Malvertising Leads to Magnitude Exploit Kit, Ransomware Infection

Posted on Updated on

Criminals are injecting malicious redirect code into advertisements in order to route user traffic toward sites hosting the Magnitude exploit kit, which, in turn, infects those users with strains of file-encrypting ransomware.

Magnitude predominately relies on drive-by-download attacks in which it infects its victims by exploiting vulnerable browser plug-ins. Before infection via Magnitude, ZScaler researchers explained in a recent analysis, attackers are using malicious ads, in a scheme commonly known as malvertising, to direct users through “302 cushioning” to sites hosting the Magnitude exploit kit.

Cushion attacks — also known as 302 cushioning — attempt to evade intrusion prevention and detection systems by displaying a 302 HTTP redirection warning. In this way, when the user lands on the fraudulent 302 page, his browser is automatically redirected to a maliciously crafted web page. In this case, the malicious website plays host to the Magnitude exploit kit.

Malvertising Leads to Magnitude Exploit Kit, Ransomware Infection
Malvertising Leads to Magnitude Exploit Kit, Ransomware Infection

Once the user interacts with an infected site, Magnitude delivers a malicious Flash payload as well as a highly obfuscated JavaScript payload exploiting MS13-009, an integer overflow that was fixed by a cumulative Internet Explorer update issued in February 2013.

Generally, this is the point where Magnitude delivers its malware payload. However, in this attack the criminals have added a new step wherein Magnitude dumps a shellcode payload onto its victims. The shellcode fetches a list of URLs using the the Windows library urlmon.dll and uses the first URL to infect users with CryptoWall 3.0.

“This is a highly profitable ransomware payload that leverages Bitcoin transactions executed over the Tor Anonymizer to monetize the attack,” wrote ZScaler researchers Edward Miles & Chris Mannon. “Threat Actors utilize this method of collection because it can’t be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures.”

The threat infrastructure for this attack is hosted primarily in Germany.

Most of the malvertising activity originates from “click2.systemaffiliate.com,” which is operated by the ad network SunlightMedia. SunlightMedia believes it has isolated and blocked the bad ad.

Source:https://threatpost.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s