A malvertising campaign is leveraging pop-under ads to infect users who visit adult websites with the Ramnit trojan.
The campaign abuses the ExoClick ad network to target users based in Canada and the United Kingdom. Its attacks rely on pop-under ads, or windows which display under the main webpage when users click on an item located on a site.
Malwarebytes’s lead malware intelligence Jérôme Segura gives us the rundown of how the campaign works:
“The first stage redirection includes a link to tds.tuberl.com within two different JavaScript snippets. This Traffic Distribution System (TDS) mostly loads benign adult portals/offers via ExoClick. The actual malvertising incident takes place next with a 302 redirect to a malicious TDS this time, which performs some geolocation fingerprinting and checks the upper referer before loading the RIG exploit kit.”
RIG is a well-known actor in the exploit kit world. It has leveraged flaws discovered in Adobe Flash and other software to infect users with malware.
In particular, RIG has a long-standing relationship with Cerber, the “ransomware that speaks” whose developer launched a lucrative affiliate scheme in 2016 to support operations. Researchers spotted RIG and Cerber targeting victims of pseduo-Darkleech as recently as January 2017.
In this particular campaign, RIG doesn’t push out Cerber. Instead it drops Ramnit, a trojan which is known for stealing banking and FTP credentials. The malware preys predominantly on Canadian and UK users despite a takedown in 2015.
Malwarebytes has since reached out to ExoClick about attackers abusing its systems to prey upon users, and the ad network has reportedly taken action to stop the attacks.
Users can protect themselves against campaigns such as this by maintaining an up-to-date security solution on their computer, implementing software updates as soon as they come available, and using an ad-blocker within their web-browsing sessions.
They should also take a hard look at the kinds of websites they visit. No judgment, but adult websites are notorious for these types of attacks.