New AdsTerra malvertising campaign found delivering banking trojans, ransomware and more

  • The campaign involves cybercriminals buying ad space from a middle-man to generate traffic for their campaigns.
  • The malvertising campaign was found redirecting to the Rig and Magnitude exploit kits.

A new malvertising campaign has been discovered distributing banking trojans, ransomware, bots and more. The campaign involves cybercriminals buying ad space from a middle-man to generate traffic for their campaigns. The campaign was also found redirecting to the Rig and Magnitude exploit kits (EK).

According to researchers at Check Point, who discovered the new malvertising campaign, the entire campaign is powered by the infamous AdsTerra Network. The researchers discovered the campaign when they stumbled upon a new Rig Exploit Kit campaign, whose server belonged to a cybercriminal referred to as Master134.

Master134 is considered to be a major player amongst scammers. He is believed to be the main actor behind a tech support scam, as well as the source of the HookAds and Seamless campaigns.

Modus operandi

Check Point researchers discovered that the campaign leveraged over 10,000 hacked websites. The websites were found containing a WordPress vulnerability, which means that all of them were vulnerable to remote code execution (RCE) attacks. This in turn allowed Master134 to use the websites to redirect to EKs such as Rig, Magnitude and GrandSoft.

“It seems threat actors seeking traffic for their campaigns simply buy ad space from Master134 via several Ad-Networks and, in turn, Master134 indirectly sells traffic/victims, to these campaigns via malvertising,” Check Point researchers wrote in a blog.

“As often happens in the ad industry, AdsTerra resells the traffic to several other Reseller companies – in this case, ExoClick, AdKernel, EvoLeads, AdventureFeeds, who curiously sell this traffic to their clients,” Check Point researchers added. “However, all the clients who bid on the traffic directed via AdsTerra, from Master134, happen to be threat actors, and among them some of the Exploit Kit land’s biggest players. “

Ads for cybercriminals

Check Point researchers suspect that cybercriminals directly paid Master134 for ad space. Master134 in turn, pays the ad-network companies to re-route traffic, masking the origins of the traffic.

“In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case – the wrong hands,” Check Point researchers said.

The new campaign highlights how cybercriminals use new techniques to help grow their campaigns and attacks. However, in this case, security experts found legitimate online advertising companies at the center of this campaign. This essentially connects legitimate entities with cybercriminals.

“Due to the often complex nature of malware campaigns, and the lack of advanced technology to vet and prevent malicious adverts from being uploaded onto Ad-Network bidding platforms, it is likely we will see more Malvertising continue to be a popular way for cyber criminals to gain illegal profits for many years to come,” Check Point researchers said.