Ramnit Worm Distributed Via Malvertising Campaign by Targeting Adult Websites

A new malvertising campaign has been discovered using popular adult websites (each with several million visits per month) to target primarily Canadian and UK visitors. Using pop-under ads, victims were ultimately directed to the RIG exploit kit which sought to drop Ramnit. Pop-under ads are triggered when a user clicks on an item on the site they are visiting. Doing so in this instance launched a pop-under window behind the main page. Redirection from here loaded mostly benign adult portals and offers -- but a 302 redirect also went to a malicious site that performed geolocation fingerprinting before loading the RIG exploit kit. The danger with malvertising is that it is invisible to the eye and effective from trusted sites. In this campaign the prime target is individual adults. It would be wrong, to assume that malvertising is primarily a consumer threat. Relaxed attitudes to staff using their own devices at work and using the internet to keep up with news makes everyone susceptible.