After a long while, Malvertising campaigns are back with their exploit kits. A fallout exploit kit campaign is discovered distributing the Raccoon Stealer via high-traffic adult sites. After being reported, the same threat actor came back again using the RIG exploit kit instead.Then the largest campaign was launched recently on top site xhamster[.]com from a malvertiser who managed to abuse practically all adult ad networks. The campaigns are targeting users running Internet Explorer without any particular geolocation restriction, although the majority of victims were in the US. In this campaign, the crooks abused the popular ad network ExoClick by using different redirection pages. Simple server-side cloaking performs the redirect to a Fallout exploit kit landing page which attempts to exploit CVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) before dropping the Raccoon Stealer. Another domain websolvent[.]me also became active but used a different redirection technique, a 302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon Stealer.
The second malvertiser (‘malsmoke’) is another one whose end payload is often the Smoke Loader malware. The gates used by this group also use a decoy site and over time they have registered domains mocking ad networks and cloud providers. The redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some client-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP addresses. Interestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.