Massive Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP
A malvertising campaign related to the Angler Exploit Kit is currently targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised ad network in various highly-visited mainstream websites–including news, entertainment, and political commentary sites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems.
It is interesting to note that Angler Exploit Kit has been reportedly just updated to exploit additional vulnerabilities. This could imply that its creators are employing a more aggressive strategy to continue to stay ahead of its competitors: we have previously noted that Angler has been the dominant Exploit Kit in 2015. Regardless of which of these players eventually come out on top this year, in the end, it’s still the users and website owners who lose.
Since March 9, there has been an uptick in Angler’s activity in the US, one that seems to slowly wane before ratcheting back up again over the weekend.
Figure 1. Angler Exploit Kit’s activity in the US in the last five days
Based on my analysis, once a user visits a page that loads the malicious ad, the said ad automatically redirects to two malvertising servers, the second of which delivers the Angler Exploit kit.
Figures 2 and 3. Malvertising servers used in this attack, and corresponding activities in the last 24 hours (UTC)
Figures 4 and 5. The code redirecting users to Angler Exploit Kit
As of this writing, the exploit kit proceeds to download a BEDEP variant, which, in turn drops a malware we will detect as TROJ_AVRECON.
Users and organizations are advised to make sure that keep their applications and systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others.
Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.
Related hash for TROJ_AVRECON is the below.
Updated on March 14, 2016, 05:30 PM (UTC-7)
TROJ_EVOTOB has been renamed to TROJ_AVRECON.
Updated on March 15, 2016, 10:10 PM (UTC-7)
Updated to include Trend Micro solutions and revise the statement regarding Angler Exploit Kit’s activity described in Figure 2.