The amount of malvertising found in the wild has dramatically dropped since the Angler Exploit Kit seemingly disappeared at the end of April, but that does not mean this annoying type of malware is gone for good, according to Malwarebytes.
Malwarebytes Senior Security Researcher Jerome Segura noted in a blog that the only large-scale malvertising campaign launched since Angler vanished from the threat landscape utilized the Neutrino Exploit Kit. This attack struck Yahoo on June 7. However, Segura does not believe the current low-level of activity is a sign that malvertising has fallen out of favor just that the criminals are gearing up for another wave of attacks.
“We can theorize threat actors are busy reorganizing planning for their next objectives and malvertising is most likely going to remain their weapon of choice to drive traffic to their malicious payloads,” Segura said.
One reason Segura believes this is just a lull is that some small campaigns are running, including one pushing a malicious banner ad through the RTB platform smartadserver. This attack is particularly hard for researchers to spot as it uses the fingerprinting technology built into Neutrino that allows the malware to vet potential victims ensuring only those without security protection are infected, Segura said.
The demise of Angler and increased use of Neutrino has had another impact. The recent cases spotted involve drive-by downloads via compromised websites instead of through malicious ads. Segura said this trend is a plus as sites hacked in this fashion cannot reach as many people as a well-placed malicious ad, which can victimize hundreds of thousands of people.