The last days of the past and the first days of the current year have been unlucky for visitors of several popular sites including the Huffington Post and Gamezone.com, which were unknowingly serving malicious ads that ultimately led to a ransomware infection.
Cyphort Lab researchers first spotted the malvertising campaign on New Year’s Eve on the HuffPo’s Canadian website. A few days later, the ads were served on HuffingtonPost.com.
The ensuing investigation revealed that the source of the ads is advertising.com, an AOL ad-network.
Visitors to the sites who were served the ads were automatically redirected to a landing page hosting either the Neutrino or the Sweet Orange exploit kit. The kits served several exploits, and if one of them was successful, a new variant of the Kovter ransowmare was downloaded and executed.
Kovter blocks the targeted computer’s keyboard and mouse, usually demands a ransom of around $300, and searches the web browser’s history for URLs of adult content sites to include in the ransom note.
AOL has been notified of the problem, and has removed the malicious ads from rotation both in their advertising.com ad-network as well as in their adtech.de one.
Nick Bilogorskiy, director of security research with Cyphort, explained that while advertising networks do their best to spot these malicious ads when they are submitted, sometimes they fail to do so because the attackers are adept at hiding their real nature, or they enable the infection chain many days after the ads start “playing.”
“Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and IP addresses also is a common strategy to hide from analysts and automated malware detection,” he told Adam Greenberg.
That’s why site administrators should regularly check their websites for malicious advertisements (and malware).
This is not the first time that Kovter was delivered in this way. Another malvertising campaign targeting YouTube users was spotted in October 2014.