Huge Malvertising Operation Discovered that Brings Traffic to Rig Exploit Kit

August 5, 2018


For several years cybercriminals have been sneaking malevolent advertisements onto valid websites via advertising networks.

Publishers – website proprietors that sell area on their sites for ads – often use advertisement systems to link them with promoters, who try for the space. Resellers are also included in the advertising chain and resell traffic created through the advertisement networks to other promoters.

If a malevolent advertisement makes it past the ad network checks, it can be shown to huge numbers of visitors and might be placed on thousands of websites at the same time. The malevolent advertisements guide users to phishing websites, chat sites, and sites hosting exploit tackles where drive-by downloads of malware happen.

Malevolent advertisements – or malvertising – is usual, although advertisement networks are now including more checks on promoters that make it harder for malevolent advertisements to be introduced. Nevertheless, several malevolent advertisements make it past these controls in spite of the best efforts of the advertisement networks.

Huge Malvertising Campaign Exposed

Scientists at Check Point have lately exposed a huge malvertising campaign where a threat actor is posing as an authentic publisher and is offering advertising area on over 20,000 websites. Those websites are not possessed by the publisher. They are sites that have been undermined. Most of the sites use WordPress and have not been updated, letting WordPress weaknesses to be abused and access to the sites to be gained without the proprietors’ knowledge.

The traffic to those sites is sold by the advertisement network to resellers, who vend that traffic to cybercriminals who use malevolent advertisements to direct users to cheat sites and abuse kits.

Check Point scientists were probing a campaign that was redirecting operators to a website hosting the Rig exploit kit. More research into the source of the traffic disclosed users were being redirected via JavaScript on a distant server, with the traffic apparently coming from compromised websites. The JavaScript redirected users to an advertising page possessed by the AdsTerra ad network. That page redirected users to the Rig exploit kit where malware was downloaded.

Check Point scientists found that over 10,000 websites had been undermined by this single threat actor. The bulk of the undermined sites were running the obsolete 4.7.1 WordPress type, which is susceptible to distant code execution and is how the sites were likely compromised. PUPs were also being used to create traffic.

The threat actor, known as Master134, sells advertisement space on the sites which are bought by a wide variety of advertisers. In principle, the space might be used by threat actors and genuine companies alike, yet it seemed to almost completely be purchased by cybercriminal groups that run exploit kits.

Master134 is also using other promoting networks and is indirectly vending traffic to threat actors through resellers. One way or another the whole advertisement ecosystem is being taken over. The scale of the operation indicates that the advertisement network might be conscious of the cheat, yet is turning a blind eye to the operation.

“Threat actors never stop to look for new methods to spread their attack campaigns and don’t vacillate to use authentic ways to do so. Nevertheless, when genuine online advertising businesses are found at the heart of a scheme, connecting threat actors and enabling the distribution of malevolent content worldwide, we cannot help but wonder – is the online promoting industry accountable for the public’s safety?” Wrote the Checkpoint scientists. “Actually, how can we be sure that the ad we encounter while visiting legitimate websites is not intended to harm us?”