Researchers with Malwarebytes have identified a malvertising attack carried out through Merchenta, an advertising network that works with Google's DoubleClick and claims to reach more than 28 billion consumers per month in the U.S. and 14 billion in the UK.
The malvertisement was active from April 11 to April 15 and appeared as an ad for French fashion label Hermès. Without any user interaction, the malvertisement served up the Flash EK and would infect vulnerable users with malware.
Malwarebytes could not determine which vulnerability was being exploited, but Jerome Segura, senior security researcher at Malwarebytes Labs, told SCMagazine.com in a Friday email correspondence that Flash EK is particularly unique because it does not have the typical structure of an exploit kit.
“Most exploit kits are made of three components: a landing page, exploits, and a payload,” Segura said. “Flash EK builds advertising and exploit into one unique package (no landing page necessary) and is very stealth or ‘well filtered' because it can leverage ad networks' ability to filter out non genuine traffic. Well filtered meaning to weed out security researcher's honeypots.”
Although Malwarebytes did not analyze the payload, the security company believes it is ransomware known as CryptoWall. That malware was being distributed in a nearly identical attack identified earlier this month, leading researchers believe that the same group is at work in this latest attack.
Segura was unable to say which sites may have served up the malicious advertisements, but he did say the attack appears to have impacted top news and technology websites.
“Given the fact the ad was propelled via DoubleClick and the unconfirmed reports we have about mainstream sites showing it, we can assume [the number of people affected] was in the tens of thousands to be very conservative,” Segura said.
Segura indicated that the attack highlights weaknesses that can be exploited in the chain of trust between ad networks and third parties.
“What I learned after doing digging and contacting Merchenta, is that yet another third-party called Bidable was using Merchenta's API (something that I could not see from the traffic capture) to perform real-time bidding,” Segura said. “Bidable in turn was giving its own customer's access to that API, and one of them was essentially rogue.”