We are also seeing VirtualDonna spreading Teslacrypt (id52) directly from Angler.įigure 3: VirtualDonna chain to Angler EK dropping Teslacrypt ID52 (1e18d9c07d7c86c102003a2f4310f1eb) on the įigure 4: "VirtualDonna" redirecting to Angler loading Bedep 6006 (not illustrated here: the first stream contains Teslacrypt ID=52 among other things) on March 12, 2016.Ī list of associated redirector patterns (as of March 8) is available here.Ī separate video malvertising campaign on March 13 raised an alarm. ĭespite receiving a large amount of traffic since at least February 23 (when we saw it and flagged the new redirector pattern), the traffic volume driven by this actor did not change on March 13. Instead, we connected the ransomware campaign to the " VirtualDonna" group. The campaign covered by Spiderlabs is not tied to this spike. The confusion resulted from mixing up two campaigns. Even so, the common dropped malware illustrates how in some cases, groups in charge of the traffic are providers to what appear to be load sellers.Īs seen in Figure 1, the large-scale malvertising attack that took place on March 13, was not dropping ransomware as originally reported. This group is not tied to the spike from March 13. Notably, the same malware (sharing the same command-and-control (C&C) infrastructure) was dropped by Bedep 1967 from the Angler instance fed by another malvertising campaign being run by an actor we are tracking as GooNky (the name is a contraction the attacker’s past https redirectors, goo.gl and nky.be).įigure 2: Another group (GooNky - using Domain Shadowing and a Let’sEncrypt certificate ) sending traffic to a different instance of Bedep dropping the same malware tuple. Bedep's secondary payloads were both the Evotob dropper Trojan and an instance of the Reactorbot banking Trojan.įigure 1: Angler EK (from startlenovocom) on Maloading Bedep 1940 in memory and then pushing Evotob and Reactorbot. Some other websites were also involved as referrers via YahooAds, Aol, and .Īfter investigating alerts related to this event on March 13, we determined that all of these redirects lead to an Angler instance that was infecting victims with Bedep (build-id 1940).
The full list of websites that we observed unwittingly participating in this malvertising campaign-displaying the malicious advertisements and driving traffic to the exploit kit- appears below. The final payloads were an Evotob Trojan and a Reactorbot banking Trojan.It marks the first documented instance of video malvertising leading to an exploit kit.A large number of highly ranked sites were involved in malvertising.This campaign is notable for several reasons: We have uncovered new details about the infection chain and can provide key historical context on the attacker behind it. Parts of this activity have already been documented by our colleagues at Trend Micro. The threat of exploit kits in video malvertising creates another layer of potential problems for consumers and advertisers alike. While such campaigns aren't new, this appears to be the first documented instance of such a campaign leading to an exploit kit. We also surmised (and later confirmed) that there was a video malvertising involved in this campaign. On March 13, 2016, Proofpoint researchers observed a large malvertising campaign hitting many highly-ranked websites including MSN.com, and many others. The campaign, which involved both banner and video ads, hit high-profile sites including MSN.com,, and, among many others, as well as large ad networks, potentially putting millions of users at risk of infection.
Proofpoint researchers have been tracking the first known instance of video malvertising leading to an exploit kit. Usually this happens transparently without the user even knowing they’ve been infected. Exploit kits are powerful tools for cybercriminals, downloading malware onto vulnerable PCs whenever users surf to a compromised or malicious site.