The Angler Connection: Massive Malvertising Campaign Linked to Angler Exploit Kit and BEDEP

In a report posted on Monday, Trend Micro researcher Joseph Chen shared details of a spike in malicious ads that may have affected tens of thousands of users—particularly in the United States—24 hours after its discovery. The said malvertising campaign is linked to the Angler Exploit Kit and the breadth of its impact appears to be massive having successfully infected top news sites, entertainment portals, and even political commentary sites. While a number of the more popular Web pages no longer carry the malicious ad, the campaign is said to continue to wreak havoc among users who unknowingly download the malware into their systems.

According to Chen, “Since March 9, there has been an uptick in Angler’s activity in the US, one that seems to slowly wane before ratcheting back up again over the weekend.” Recently, Angler Exploit Kit got an update that allows it to exploit more vulnerabilities, which indicates that the creators behind the kit are constantly developing means to get ahead of its competition.

Chen furthers that once a user visits a page injected with the malicious ad, they automatically get redirected to two malvertising servers, the second of which delivers the Angler Exploit kit. The kit then downloads a BEDEP variant that is known to drop malware that Trend Micro detects as TROJ_AVRECON.

However, Angler Exploit Kit is known to have the capability to drop other malware. In a separate report, security researchers have identified Angler to connect the systems of unknowing victims to the download of BEDEP and the TeslaCrypt ransomware.

Malvertisements have essentially graduated from bringing unwanted ads to users. The online advertising ecosystem is increasingly being used by cybercriminals to target users via malvertising. Unwitting users are likely to encounter them on online shopping sites, digital news hubs, social media platforms, and gaming portals. Malvertising can cause damage either by tricking a user to click on a malicious link or by making use of drive-by download methods. This means that a user who visits a site loaded with malware-laced ads can become infected simply by loading the affected Web page.

[More on Malicious ads: how do they work and why are they dangerous?]

In Trend Micro’s 2016 Security Predictions, threat experts and researchers shared that the deepening awareness on the harm brought by malvertisements will push vendors to provide ad-blocking options in their products and services. “In the U.S. alone, the number has increased to 48%, with monthly active users during the second quarter expanding to 45 million. This figure seeks to shake the very foundation by which advertising business models operate, which will, in turn, propel advertisers to seek new ways to advertise online. Likewise, cybercriminals will find other ways to get closer to victims, effectively delivering a blow to malvertisements.”

Users and organizations are urged to keep applications and operating systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others.

Trend Micro protects users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.  The Browser Exploit Prevention feature on endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.