Malvertising Attack Pushes Ransomware

Friday, April 29, 2016 @ 04:04 PM gHale


As a part of a larger malvertising campaign that surfaced a week and a half ago, malicious ads on The Pirate Bay torrent portal were pushing ransomware and potentially unwanted software (PUP) after redirecting users to a page hosting the Magnitude exploit kit.

The malvertising campaign first ended up discovered April 18 when Malwarebytes first detected something suspicious.

RELATED STORIES
When is a Backdoor a Backdoor?
Millions of Devices Face Ransomware
Another Ransomware Recovery Mode
Tools to Unlock Ransomware

After having their activities exposed, attackers changed the advertising network through which they delivered their malicious ads.

Just like with most malvertising campaigns, users were first redirected to a so-called “gate,” an intermediary server where an automated fingerprinting script would separate users into possible victims and unhackable targets. Users that utilized older Windows and Internet Explorer versions were the main targets.

Only the potential victims would then end up redirected to the final URL, where the Magnitude exploit kit would leverage automated exploits to crack vulnerable PC setups and install Cerber ransomware.

Ransomware would end up installed by attackers leveraging a Flash Zero Day patched by Adobe at the start of the month.

When the Zero Day first ended up discovered, Proofpoint researchers found the attackers using the Zero Day to push the Cerber ransomware via the Magnitude and Nuclear exploit kits. The researchers said it now appears The Pirate Bay was also a part of this campaign.

The vulnerability allows attackers to take control over the user’s computer by executing malicious code without his knowledge or consent.