Malvertizing Continued – Spotify’s Ad Networks Outed

Over the past couple months, some advertising networks have been distributing ads that redirect browsers to sites hosting exploits.

Spotify’s advertising network was most recently outed (note that it is the third party banner ads rotating through the client’s ad frames). Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD. We have been working with providers to ensure the ads aren’t on their networks, but the groups have been active in rotating malvertizing banners through multiple networks.

The hits on these ads, for the most part, have redirected browsers to Java, Adobe and Microsoft HCP related exploits. We are detecting this exploit content with a variety of names: Exploit.Java.CVE-2010-0840.a-f, Trojan-Downloader.Java.Openconnection.dt, Trojan.Win32.FakeWarn.d, Exploit.HTML.CVE-2010-1885.aj, Exploit.Script.Generic, Exploit.JS.Pdfka.cwm, Exploit.JS.Pdfka.dhm and more. All are a part of the Blackhole Exploit kit. At some point, our broader solutions kick in and just block connections with the web pages altogether.

Most of the redirects that we saw early on were from unusual adult interest sites, but the distributors have become more aggressive and managed to rotate their ads through major IM, webtailers’ regional sites and webmail provider sites too. At least that group of ads seem to have been dealt with properly. However, unpatched and unprotected systems that are being successfully exploited and download a variety of malware from these sites, including FakeAv, the more serious TDSS rootkit, Papras and Zbot banking credential stealers, among others.

The Blackhole exploit kit may not have the largest install base online, but because its hosters are abusing some of the bigger advertising networks to co-ordinate redirection to their exploit pages on these .cc servers. Accordingly, detections for their Java, pdf and hcp exploits are very high. Every eight hours during higher activity, our KSN network counts the prevention of a very high volume of attacks from .cc domains.

Malvertizing Continued – Spotify’s Ad Networks Outed

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox