Ad Network Compromised, Users Victimized by Nuclear Exploit Kit

MadAdsMedia, a US-based web advertising network, was compromised by cybercriminals to lead the visitors of sites that use their advertising platform to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Up to 12,500 users per day may have been affected by this threat; three countries account for more than half of the hits: Japan, the United States, and Australia.

Figure 1. This attack was first seen in April, although at relatively low traffic levels. The number of users at risk grew significantly as May started, with the peak of 12,500 daily affected users reached on May 2.

We initially thought that this was another case of malvertising, but later found evidence that said otherwise. Normal malvertising attacks involve the redirect being triggered from the advertisement payload registered by the attacker. This was not evident in the MadAdsMedia case. What we saw was an anomaly in the URL of their JavaScript library– originally intended to assign what advertisement will be displayed in the client site:

Figure 2. The JavaScript library URL serving the JavaScript, as intended

We found in our investigation that the URL didn’t always serve JavaScript code, and instead would sometimes redirect to the Nuclear Exploit Kit server:

Figure 3. The JavaScript library URL leading to the Nuclear Exploit Kit server

This led us to the conclusion that the server used by the ad network to save the JavaScript library was compromised to redirect website visitors to the exploit kit. MadAdsMedia serves a variety of websites globally, and several of the affected sites appear to be related to anime and manga.

The Flash exploits in use are targeting CVE-2015-0359, a vulnerability that was patched only in April of this year. Some users may still be running older versions of Flash and thus be at risk. The Flash exploits are being delivered by the Nuclear Exploit Kit, a kit that has been constantly updated to add new Flash exploits and has been tied to crypto-ransomware.

In this case, the final payload of the infection chain we were able to analyze is TROJ_CARBERP.YVA. CARBERP malware variants are known for stealing information, specifically for those related to Russian banks. Note however that cybercriminals can choose to change the final payload at any time.

We have reached out to MadAdsMedia and fortunately they were quick to investigate and take action on the issue.

Solutions and best practices

Attacks like these highlight the importance for ad networks to keep their infrastructure secure from attacks. Making sure that web servers and applications are secure will help ensure the protection of the business and their customers.

End users, on the other hand, are advised to keep popular web plugins up to date. Users with the latest versions of Adobe Flash would not have been at risk. Monthly Adobe updates are released at approximately the same time as Patch Tuesday (the second Tuesday of each month); this would be a good time for users to perform what is, in effect, preventive maintenance on their machines.

Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability. Trend Micro endpoint solutions additionally protect systems against malware and related attacks.

Additional analysis by Brooks Li

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Ad Network Compromised, Users Victimized by Nuclear Exploit Kit