Common Information
| Type | Value |
|---|---|
| Value |
Malvertising - T1583.008 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising) Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2017-08-31 | 6 | RIG exploit kit distributes Princess ransomware | Malwarebytes Labs | ||
| Details | Website | 2017-08-21 | 3 | July’s Most Wanted Malware: RoughTed and Fireball Decrease, But Stay Most Prevalent - Check Point Research | ||
| Details | Website | 2017-08-16 | 23 | Fobos Campaign Using RIG EK to Drop Bunitu Trojan | ||
| Details | Website | 2017-08-14 | 95 | Threat actor goes on a Chrome extension hijacking spree | Proofpoint US | ||
| Details | Website | 2017-08-02 | 63 | Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain | Malwarebytes Labs | ||
| Details | Website | 2017-07-24 | 48 | The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc. | ||
| Details | Website | 2017-07-13 | 98 | RIG EK at 188.225.76.222 Drops Dreambot | ||
| Details | Website | 2017-07-10 | 202 | Tech Support Scams Using Numeric Domains | ||
| Details | Website | 2017-07-10 | 0 | A week in security (July 03 – July 09) | Malwarebytes Labs | ||
| Details | Website | 2017-07-06 | 1 | Report: Second quarter dominated by ransomware outbreaks | Malwarebytes Labs | ||
| Details | Website | 2017-06-30 | 14 | How Malicious Websites Infect You in Unexpected Ways | ||
| Details | Website | 2017-06-28 | 0 | Pyramid Schemes Go High Tech with Affiliate Spam and Malware Affiliates | Proofpoint US | ||
| Details | Website | 2017-06-27 | 2 | Hospitality Industry Needs Shelter From Cyber Threats | ||
| Details | Website | 2017-06-25 | 31 | Malvertising Leads to HookAds Campaign Which Redirects to RIG EK at 188.225.74.13. RIG EK Drops Dreambot. | ||
| Details | Website | 2017-06-23 | 27 | Seamless Campaign Leads to RIG EK at 92.222.48.83 and Drops Ramnit | ||
| Details | Website | 2017-06-21 | 12 | Fireball and WannaCry Impact More Than 1 in 4 Organizations Globally, According to Check Point's Latest Threat Index - Check Point Software | ||
| Details | Website | 2017-06-20 | 36 | HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot. | ||
| Details | Website | 2017-06-20 | 65 | AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware | Proofpoint US | ||
| Details | Website | 2017-06-20 | 28 | AdGholas Campaign Employs Astrum Exploit Kit | ||
| Details | Website | 2017-06-19 | 14 | Ransomware Cerber v6.x - Delivery and Detection | ||
| Details | Website | 2017-06-06 | 33 | HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot | ||
| Details | Website | 2017-06-05 | 58 | RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK. | ||
| Details | Website | 2017-05-31 | 41 | HookAds Campaign Leads to RIG EK at 188.227.74.169 and 5.200.52.203, Drops Dreambot | ||
| Details | Website | 2017-05-25 | 62 | RoughTed: the anti ad-blocker malvertiser | Malwarebytes Labs | ||
| Details | Website | 2017-05-24 | 0 | Ztorg Trojan: Infect yourself for 5 cents |