We are observing a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month.
In the past two days we have noted a 1500% increase in infections starting from xHamster.
Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within an apparent ad network.
The main adult site links to traffichaus.com where the malicious advertising (malvertising) happens thanks to an iframe:
hxxp://musthave-media.org/tracking.php loads the malicious Flash file (1 detection on VT) from: hxxp://musthave-media.org/banner/count.swf which exploits the recent 0 day.
Upon successful exploitation, a malicious payload (Bedep) VT 2/57, is downloaded from:
hxxp://nertafopadertam.com/2/showthread.php
This attack looks similar than the one mentioned by Kafeine. What we see post exploitation is ad fraud as described here.
Malwarebytes Anti-Exploit protects you from this attack:
While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge.
COMMENTS