Posted: November 5, 2015 by

Last updated:

Trusting Flash-based ads has never been harder when they bundle nasty code.

We have been observing a series of malvertising attacks using an unusual but familiar delivery method recently. Indeed, instead of relying on an exploit kit to compromise the victims’ machines, this technique simply relies on a disguised Flash advert that downloads its own exploit and payload.

We previously encountered this attack pattern on two occasions, one for a Sparta Ad and another that involved RTB platform DirectRev. This latest attack features various ad platforms leading to a booby trapped DirectRev ad.

The Flash exploit is hosted on sensentive.com:

Domain Name: SENSENTIVE.COM Creation Date: 2015-10-26T21:19:12Z Registrar: TLD Registrar Solutions Ltd. Registrant Organization: Whois Privacy Corp.

The malware payload, CryptoWall, is retrieved from gearsmog.com:

Domain Name: GEARSMOG.COM Creation Date: 2015-10-26T21:19:14Z Registrar: TLD Registrar Solutions Ltd. Registrant Organization: Whois Privacy Corp.

Both domains were created only a few seconds apart but reside on different IP addresses: 80.240.135.208 and 178.62.150.20.

File hashes: