A malvertising attack has been mounted on the popular website answers.com, which receives 2 million visits daily.
Some visitors that browse the knowledge-based website are exposed to fraudulent and malicious advertisements and could be infected with ransomware on a drive-by basis, without even having to click on an ad.
According to Malwarebytes, the attack is making use of the RIG exploit kit to drop the CrypMIC ransomware, a payload that Neutrino first served back in July. The campaign also follows the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub.com).
“There has been an interesting battle between two exploit kits in the past few months,” said Malwarebytes researcher Jerome Segura, in an analysis. “Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it. But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume campaigns from compromised websites.”
In early September, Malwarebytes noticed a change in how RIG drops its malware payload. Rather than using Neutrino’s trademark iexplore.exe process, the firm spotted instances where wscript.exe was the parent process of the dropped binary. This may seem like a minor difference, but it is being used as a way to bypass certain proxies.
“Threat actors are privileging RIG over its rival Neutrino, as it can be seen from various malware campaigns,” Segura said. “In the meantime, domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to bypass traditional defenses at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel.”
Since malvertising doesn’t require any user interaction to infect a system, users should keep their computers fully up-to-date and uninstall unnecessary programs. Running an additional layer of protection, such as exploit mitigation software, ensures that drive-by download attacks leveraging zero-day vulnerabilities are also stopped.
Photo © Sergei Butorin