Top websites were involved In large-scale Malvertising-campaign

At the end of last week there were some warnings of a new large-scale campaign that uses malicious advertising. According to experts, this malvertising-campaign aimed at spreading TeslaCrypt ransomware, on many popular websites, which are used by cybercriminals to redirect users to exploit pack Angler.

Experts from three IS companies found embedded redirects in many frequently visited websites, including, and According to Trustwave, in this cyber campaign involved thousands of legitimate websites. When activated, malicious banners loading page, determining the suitability of a visitor to exploit, if the result is positive, user gets an exploit, after using the exploit the ransomware will be loaded. In some cases, the Trojan Bedep was used to open the backdoor to download other malicious files.


The new mass discreditation aimed to embed malicious advertising were also recorded by TrendMicro and Malwarebytes, although it is unclear the relationship between these three cyber companies. The head of anti-virus analysts Karl Ziegler told that the attackers using various tricks to make malicious ad networks work and show malicious banners. For example, criminals acquire domains of marketing companies and advertising agencies, which term of service was recently expired.

“Ad networks are checking companies using their services. Initiators of malvertising-campaign have to put a lot of effort to create the appearance of legitimacy” – says Ziegler. At the moment, Trustwave has identified two ad networks involved in the current cyber campaign – Adnxs and Taggify. The first one immediately removed malicious banners from the network, the second didn’t react on the warnings.

One of the domains used by hackers,, until January belonged to BrentsMedia – an American company specialized in online marketing and is already defunct. Owners of other domains, and, until recently, were considered as a media companies.

In the report, Trustwave experts pointed out that one of the malicious banners was discovered, when they noticed that several well-known sites invoke JSON-suspicious file, hosted on As it turned out, this refers to the JSON JavaScript file that contains 12 thousand lines of code – much more than usual.

“Our doubts are increased when, after obfuscation of the script, revealed that it is trying to go through the list of protective products and tools to filter information security researchers and users who have tools to prevent an exploit” – said the author of the report.

Trend Micro has estimated the damage from the current malicious campaign in “tens of thousands of users just in the last 24 hours”.

“Will it become a new trend or not, but it’s definitely an interesting stage in the development of malvertising industry, again reminded us how difficult it is to deal with such threats, and end users, and ad networks” – wrote the experts in conclusion of the report.

Information added: 03/23/2016 07:51 PM;