Common Information
| Type | Value |
|---|---|
| Value |
Malvertising - T1583.008 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising) Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2017-05-23 | 2 | Stealing Windows credentials using Google Chrome | Malwarebytes Labs | ||
| Details | Website | 2017-05-18 | 23 | HookAds Malvertising Campaign Leads to RIG EK at 185.154.53.33, Drops LatentBot | ||
| Details | Website | 2017-05-15 | 40 | RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware. | ||
| Details | Website | 2017-05-15 | 137 | WannaCry Ransomware Campaign: Threat Details and Risk Management | Mandiant | ||
| Details | Website | 2017-05-09 | 30 | RIG EK at 92.53.119.66 Drops Dreambot | ||
| Details | Website | 2017-05-02 | 3 | Cerber Version 6 Shows How Far the Ransomware Has Come | ||
| Details | Website | 2017-04-24 | 0 | The Necurs Botnet: A Pandora's Box of Malicious Spam | ||
| Details | Website | 2017-04-21 | 40 | Elusive Moker Trojan is back | Malwarebytes Labs | ||
| Details | Website | 2017-04-18 | 69 | Hacked Sites Redirecting Users to Various Malvertising Campaigns | ||
| Details | Website | 2017-04-13 | 1 | The Unbearable Lightness of Operating Web-Based Attacks: How easy it is to steal money from IE 8.0-11.0 users - Check Point Software | ||
| Details | Website | 2017-04-06 | 15 | Malvertising on iOS pushes eyebrow-raising VPN app | Malwarebytes Labs | ||
| Details | Website | 2017-04-03 | 0 | 2017-4-3 Global Cyber Attack Report - Check Point Research | ||
| Details | Website | 2017-03-27 | 29 | RIG EK at 5.200.52.238 Drops Ransom Locker | ||
| Details | Website | 2017-03-21 | 62 | HookAds Campaign Leads to RIG EK at 92.53.104.78 | ||
| Details | Website | 2017-03-15 | 40 | Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits | Mandiant | ||
| Details | Website | 2017-03-13 | 12 | Hancitor Makes First Appearance in Top Five ‘Most Wanted’ Malware in Check Point’s February Global Threat Impact Index - Check Point Software | ||
| Details | Website | 2017-03-09 | 16 | Exploit kits: Winter 2017 review | Malwarebytes Labs | ||
| Details | Website | 2017-03-02 | 167 | RIG EK at 92.53.105.43 Drops ASN1 Ransomware | ||
| Details | Website | 2017-03-02 | 149 | Bye Empire, Hello Nebula Exploit Kit. | ||
| Details | Website | 2017-02-27 | 15 | New Neutrino Bot comes in a protective loader | Malwarebytes Labs | ||
| Details | Website | 2017-02-25 | 15 | New RaaS Portal Preparing to Spread Unlock26 Ransomware | ||
| Details | Website | 2017-02-21 | 2 | How Every Cyber Attack Works - A Full List | ||
| Details | Website | 2017-02-20 | 0 | Support scams now reign in Spain | WeLiveSecurity | ||
| Details | Website | 2017-02-19 | 129 | HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot. | ||
| Details | Website | 2017-02-08 | 0 | Hummingbad Overtaken as Leading Mobile Malware in January’s Global Threat Impact Index - Check Point Software |