Incident Response, Network Security, TDR

Ad network compromised to redirect users to Nuclear EK, install Carberp

Attackers compromised an ad network's server in an apparent attempt to redirect visitors of websites using the platform to the Nuclear exploit kit (EK), new research reveals.

On Thursday, Joseph Chen, a fraud researcher at Trend Micro detailed the incident – which was first detected in April and, at its peak this month, put more than 12,000 users at risk. According to Chen, Mad Ads Media, a New Jersey-based advertising network, was targeted to further a redirect scheme which featured financial malware Carberp as the final payload of the infection chain.

“We found in our investigation that the URL [used to redirect users] didn't always serve JavaScript code, and instead would sometimes redirect to the Nuclear Exploit Kit server,” Chen's blog post explained. “This led us to the conclusion that the server used by the ad network to save the JavaScript library was compromised to redirect website visitors to the exploit kit. Mad Ads Media serves a variety of websites globally, and several of the affected sites appear to be related to anime and manga.”

While Mad Ads Media quickly investigated and remediated the issue after Trend Micro notified the company about the compromise, the security firm found that as many as 12,500 users per day were affected by the threat at its peak this past Saturday. Chen noted that the research team “initially thought that this was another case of malvertising, but later found evidence that said otherwise.”

“Normal malvertising attacks involve the redirect being triggered from the advertisement payload registered by the attacker,” he continued. “This was not evident in the Mad Ads Media case. What we saw was an anomaly in the URL of their JavaScript library– originally intended to assign what advertisement will be displayed in the client site [image],” the blog post explained.

Users were in danger of being redirected to Nuclear EK, which delivered Adobe Flash exploits targeting CVE-2015-0359, a vulnerability patched in April, Chen said. Nuclear has been used by cybercriminals to spread crypto-ransomware, he added.

In a Friday interview with, Tom Kellermann, chief cybersecurity officer at Trend Micro, said that the majority of the affected web traffic in this incident was from users in the U.S. (the blog also pointed out that significant traffic came from users in Japan and Australia).

“Chief marketing officers are being forced to acknowledge that they need to be cognizant of cyber security,” Kellermann said, referencing schemes that target internet marketers to scale larger attack campaigns. “CMOs need to be challenged to invest part of their budget in protecting the brand, and to do that they need to ensure their sites are insulated from the OWASP Top 10 [web application risks].”

In his blog post, Trend Micro's Chen noted that, as of Friday, the affected URL was no longer connecting to the Nuclear exploit kit.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.