Incident Response, Malware, TDR

‘Stop running this script?’ notification redirects to Angler Exploit Kit

While doing some research last week on exploit kit traffic, researchers with ESET identified a compromised website serving up one of those familiar notifications that asks if users want to abort a script causing their browser to run slowly. 

The notification is actually an injected HTML form that only pops up when using Internet Explorer, according to a Friday post. Clicking either ‘Yes' or ‘Cancel' ultimately redirects users to the Angler Exploit Kit.

According to the post, the malware being distributed at the time of the ESET research was a trojan identified as Win32/PSW.Papras.CX.

Investigators may have greater difficulty tracking and researching the threat due to the message, which might have been used to prevent automated systems – such as malware analysis sandboxes and search engine bots – from reaching the exploit kit, according to the post.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.