Incident Response, Malware, TDR

Adult websites targeted in malvertising campaign packaging Flash exploit with payload

A new malvertising campaign covertly spreads malware onto the devices of visitors to more than 10 adult websites, including drtubr.com, which draws at least 60 million monthly visits.

This particular attack stems from a rogue advertiser on AdXpansion, a legitimate ad-serving company, Malwarebytes reported on its blog. No user interaction is required to launch the Flash exploit, which ultimately drops various malware payloads through an exploit kit similar to Neutrino.

The blog post's author, Jerome Segura, senior security researcher, noted in an interview with SCMagazine.com that this attack follows the recent trend of have the malicious ad both serve the exploit and drop the malware.

“The bad guys, instead of using the ad as a redirection to a site where they perform the exploitation, they do it all in one package,” he said.

The malicious ad in this case advertised a male enhancement drug.

This tactic doesn't come without its own risk for the attackers, however. The more they store on the Flash ad, the higher their chances of being discovered, Segura said, although this group appears to have approached the issue thoroughly. They use encryption and obfuscation on top of the ad, for example, and the file doesn't have any glaring components to indicate its malicious nature.

Also of note: The exploit happens immediately when a user lands on an infected page, but the payload doesn't occur until minutes later, an indication, Segura said, that indicated the attackers thinking ahead to avoid sandboxes.

With all this in mind, Malwarebytes alerted AdXpansion of the issue, and the company halted the malicious advertiser's posting.

Segura still reminded that users should remain on top of their patching schedules, especially for Flash, and if that's not regularly happening, users could consider using click-to-play or exploit detection software.

Impacted sites have nothing in common other than using AdXpansion and having their prime focus on adult content. Infected sites also included nuvid.com, hardsextube.com and justporno.tv, among others.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.