Incident Response, Malware, TDR

Angler Exploit Kit pushed in xHamster malvertising campaign

Researchers with Malwarebytes Labs identified a malvertising campaign impacting popular adult website xHamster.

The malicious advertisement – served up by ad provider TrafficHaus – was spotted on Friday and taken down by the end of Saturday, Adam Kujawa, head of malware intelligence with Malwarebytes, told SCMagazine.com in a Monday email correspondence.

The attack began with the malicious advertisement building a shortened Google URL used to direct potential victims to the Angler Exploit Kit, a Monday post indicates, adding that each IP address was targeted only once.

“A URL shortener allows the flexibility of having constant new links and evading blacklists,” Jerome Segura, senior security researcher at Malwarebytes Labs, told SCMagazine.com in a Monday email correspondence. “While certain URL shorteners have a bad reputation, Google's is the most trusted, making this a good choice.”

The Angler Exploit Kit landing page checked to see if potential victims were running Kaspersky and Norton before Internet Explorer vulnerability CVE-2014-4130 was exploited, the post states. Vulnerable users were infected with Bedep malware, as well as a component used to generate fraudulent advertising revenue.

Bedep is a distribution botnet that has been used alongside Angler Exploit Kit for a while, Segura said, explaining that the controlled machines receive payloads and instructions – similar to most other botnets – and that, in this case, the Magnitude Exploit Kit was also silently loaded.

“With most [exploit kits] the user browses to a site and gets exploited via a drive by download,” Segura said. “In this case, Bedep is generating traffic only visible via network traffic tools like Fiddler or Wireshark (no browser is open or visible to the end user). Despite that there is no visible GUI, Bedep loads malicious URLs that trigger the [exploit kit] exploitation.”

Malwarebytes Labs researchers had previously observed Magnitude Exploit Kit distributing ransomware, Segura said, adding that tens of thousands of visitors to the xHamster website were likely impacted in this malvertising campaign due to the large amount of traffic on the site.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.