What had been the relatively quiet Magnitude exploit kit (EK) has been picking up some steam of late having been spotted on several online ad networks, according to a researcher at Malwarebytes.
Magnitude, also known as PopAds, had fallen into disuse particularly compared to its heavy-hitter cousins Angler and Nuclear. However, Malwarebytes Senior Security Researcher Jérôme Segura speculated its resurgence is because the Magnitude EK is one of three known to exploit the new Flash Player vulnerability, CVE-2015-7645.
For which Adobe issued a patch earlier this month.
“Indeed, the increased activity started right around the same time as the Magnitude EK author rolled out the latest Flash Player vulnerability. The first hit we saw was on November 9. By November 10 it was confirmed by another party, that the latest Flash exploit had been integrated. This is not just a coincidence but rather an effort from criminals to use the most effective weapons they can get their hands on,” Segura told SCMagazine.com in an email Friday.
Segura spotted Magnitude being used in malvertising campaigns pushing Cryptowall ransomware on three ad networks; RevenueHits, VisAdd and Propeller Ads Media.
“Magnitude EK is one of those exploit kits we don't hear about as much in comparison to others such as Angler EK or Nuclear EK. Its unique URL pattern makes it easy to spot from the clutter of network traffic captures because it uses chained subdomains typically ending in a shady Top Level Domain like pw (Palau Pacific Island),” he wrote.