While doing some research last week on exploit kit traffic, researchers with ESET identified a compromised website serving up one of those familiar notifications that asks if users want to abort a script causing their browser to run slowly.
The notification is actually an injected HTML form that only pops up when using Internet Explorer, according to a Friday post. Clicking either ‘Yes’ or ‘Cancel’ ultimately redirects users to the Angler Exploit Kit.
According to the post, the malware being distributed at the time of the ESET research was a trojan identified as Win32/PSW.Papras.CX.
Investigators may have greater difficulty tracking and researching the threat due to the message, which might have been used to prevent automated systems – such as malware analysis sandboxes and search engine bots – from reaching the exploit kit, according to the post.