Trustwave identifies whopping big new Angler campaign

Angler can drop all sorts of payloads on your system
Angler can drop all sorts of payloads on your system

Trustwave says it has discovered an advertising campaign that has succeeded in putting ads that redirect to the Angler exploit kit on to “very popular websites” around the world.

Big name websites that have been compromised include answers.com, zerohedge.com and infolinks.com. The first two of these sites rank well inside the top 1000 sites in the world and the last one is in the top 5000.

Although malvertising and the Angler exploit kit are nothing new, the Trustwave researchers insist this is a campaign with a difference. “Those of us familiar with the Angler exploit kit know that it never ceases to innovate and come up with new  ideas for infecting as many victims as possible,” the researchers wrote.

The malvertising campaign was discovered and blogged about by by Daniel Chechik, Simon Kenin and Rami Kogan.

They said that by acquiring the expired domain of a small but reputable advertising agency, the attackers were able to provide their exploit kit with “high-quality traffic from popular websites that published their ads directly”.

They explained: “In the past few days while going over the telemetry of our products we noticed that several high profile sites were fetching a JSON file which is hosted on ‘brentsmedia[.]com' as part of their process for pulling advertising content from their ad providers.”

A heavily-obfuscated JavaScript file containing more than 12,000 lines of code was baited with an advert for socket wrenches or spanners. A vast majority of the code was designed to look for security products and tools to filter out security researchers and protected users who would not be vulnerable to exploitation – if any of these tools were found, the malware would shut down. If they weren't found, it appended an iframe to the HTML which would lead to the Angler exploit kit.

Victims were infected with the Bedep trojan and TeslaCrypt ransomware.

The domain expired on 1 January 2016 and was registered to an address in Russia on 6 March.

There was a marked difference in the responses that Trustwave received when it notified two of the ad networks about the malvertising: one network, adnxs, acted within an hour while taggify has yet to respond.

The researchers warn that this might be the start of a new trend in exploiting expired “media” related domains to lend legitimacy to malvertising campaigns.