Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP

A malvertising campaign related to the Angler Exploit Kit is currently targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised ad network in various highly-visited mainstream websites–including news, entertainment, and political commentary sites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems.

It is interesting to note that Angler Exploit Kit has been reportedly just updated to exploit additional vulnerabilities. This could imply that its creators are employing a more aggressive strategy to continue to stay ahead of its competitors: we have previously noted that Angler has been the dominant Exploit Kit in 2015. Regardless of which of these players eventually come out on top this year, in the end, it’s still the users and website owners who lose.

Since March 7, there has been an uptick in Angler’s activity in the US, one that seems to peak a few days after it starts, then slowly wanes before ratcheting back up again over the weekend.

anglerexploitkit

Figure 1. Angler Exploit Kit activity in the US in the last seven days

Based on my analysis, once a user visits a page that loads the malicious ad, the said ad automatically redirects to two malvertising servers, the second of which delivers the Angler Exploit kit.

angler_ek_malvertisingservers

angler_ek_us

Figures 2 and 3. Malvertising servers used in this attack, and corresponding activities in the last 24 hours (UTC)

redirect1_anglerexploitkit

2new_redirect1_anglerexploitkit

Figures 4 and 5. The code redirecting users to Angler Exploit Kit

As of this writing, the exploit kit proceeds to download a BEDEP variant, which, in turn drops a malware we will detect as TROJ_EVOTOB.

Users and organizations are advised to make sure that keep their applications and systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others.

We will continue to update this article with more information as soon as they become available.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP

Read more: Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP

Story added 14. March 2016, content source with full text you can find at link above.