Skip to content ↓ | Skip to navigation ↓

Researchers have recently discovered a new malvertising campaign targeting visitors of the popular online news source The Huffington Post, among other sites.

According to security experts at Cyphort Labs, the malware-serving advertisements redirected users multiple times, ultimately taking them to an exploit kit landing page by leveraging AOL’s advertising network – advertising.com.

The security firm, which specializes in detecting malware threats, first learned of the infection on The Huffington Post’s Canadian site. However, on January 3, researchers also detected a similar infection on the US website, as well as several others hosting the AOL ad network, including:

  • laweekly.com
  • mandatory.com
  • houstonpress.com
  • weatherbug.com
  • gamezone.com
  • gooddrama.net
  • fhm.com
  • thewmurchannel.com
  • buzzlie.com
  • mojosavings.com
  • soapcentral.com
  • theindychannel.com

“Interestingly enough attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack,” Director of Security Research at Cyphort Nick Bilogorskiy explained in a blog post. “The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted.”

Researchers suspect attackers liked used the NeutrinoEK exploit kit or the Sweet Orange exploit kit, which served Adobe Flash and VB script exploits to then download the malicious executable, known as the Kovter trojan:

The purpose of this attack is to install a malicious binary – a new variant of a Trojan, from the Kovter family (SHA1: eec439cb201d12d7befe5482e8a36eeb52206d6f). The malware was downloaded from indus.qgettingrinchwithebooks.babia-gora.pl:8080 – it was a un-encrypted binary. After execution it connects to a16-kite.pw for CNC. It executes through injecting its payload to a spawned svchost.exe process.

Bilogorskiy also noted the company has reported an uptick in drive-by-infection through malvertising in 2014 and sounded alarms for web property owners in regards to the growing issue.

We believe that this trend presents a significant security challenge in 2015. Website owners should ask questions about their malvertising protection before signing up with ads syndication networks. More importantly, website owners should deploy infection monitoring and detection solutions to protect their site visitors from malware infection.

In response to the findings, AOL.com released a statement confirming the company took the necessary actions to fix the issue.

The security firm continues to closely monitor the malvertising campaign and plans to share additional results as they become available.