Top-tier news sites, entertainment portals, and political commentary sites were among the victims of a massive malvertising campaign related to the Angler Exploit Kit. This campaign is targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised ad network in these highly-visited mainstream websites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems.

It is interesting to note that Angler Exploit Kit has been reportedly just updated to exploit additional vulnerabilities. This could imply that its creators are employing a more aggressive strategy to continue to stay ahead of its competitors: we have previously noted that Angler has been the dominant Exploit Kit in 2015. Regardless of which of these players eventually come out on top this year, in the end, it’s still the users and website owners who lose.

Since March 9, there has been an uptick in Angler’s activity in the US, one that seems to slowly wane before ratcheting back up again over the weekend.

Figure 1. Exploit Kits’ activity in the US in the last five days

Based on my analysis, once a user visits a page that loads the malicious ad, the said ad automatically redirects to two malvertising servers, the second of which delivers the Angler Exploit kit.

Figures 2 and 3. Malvertising servers used in this attack, and corresponding activities in the last 24 hours (UTC)

Figures 4 and 5. The code redirecting users to Angler Exploit Kit

As of this writing, the exploit kit proceeds to download a BEDEP variant, which, in turn drops a malware we will detect as TROJ_AVRECON.

Users and organizations are advised to make sure that their applications and systems are up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others.

Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

Related hash for TROJ_AVRECON is as follows:

39600e79131fd35aa89f524306c84dffa870cd9d

Read more about how malvertising works here:

Updated on March 14, 2016, 05:30 PM (UTC-7)

TROJ_EVOTOB has been renamed to TROJ_AVRECON.

Updated on March 15, 2016, 10:10 AM (UTC-7)

Updated to include Trend Micro solutions and revise the statement regarding Angler Exploit Kit’s activity described in Figure 2.