Malvertising Campaign via Pop-under Ads Sends CryptoWall 4

Malvertising Campaign via Pop-under Ads Sends CryptoWall 4

We have caught a new malvertising campaign on the PopAds network launching the Magnitude exploit kit via pop-under ads.

A pop-under is an ad window that appears behind the main browser window and typically remains open until the user manually closes it. Unsuspecting victims running outdated versions of the Flash Player were immediately infected with the CryptoWall ransomware.

This campaign started around January 1st with ads mostly placed on various adult and video streaming sites and lead to an increase in Magnitude EK activity.

Infection flow overview

  2. {redacted}.name/
  3. Magnitude EK domain

Magnitude EK overview


Landing page


Flash exploit (CVE-2015-7645)

  • MD5 (Original)bc0939c7cb7d85b6789fbd6a160a4470
  • MD5 (Decompiled)b91d14a85576f9c0d2864f802f8a039b

According to our data, this attack mainly targeted European users:


CryptoWall 4 infection

Once a system is infected, personal files are encrypted and usable as indicated in the dreaded CryptoWall ransom page:


To recover pictures, documents and other import files, users are asked to pay in order to receive a “decryption” key.


Malware MD5c0f8d8d2bf9a70cc69d641ed0263f77e


Ransomware is one particular type of malware where prevention and backups are more important than ever. Since this particular attack relies on web exploits to infect the machine, it is crucial to keep your browser and related plugins up to date.

You may also want to consider disabling or removing the Flash Player altogether since it has suffered a high number of zero-day exploits in recent history (even the latest version was vulnerable).

Malwarebytes Anti-Exploit users were already protected against this exploit kit and never even saw the CryptoWall payload.


We have notified the ad network and hope they can shutdown this campaign.


Jérôme Segura

Principal Threat Researcher