Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Ad.fly Shortener Exploited for Malvertising. HanJuan Exploit Kit Loaded

Another malvertising campaign has been detected, redirecting users to the HanJuan exploit kit (EK) also known as Timba Trojan and Fobber. An advertising service – Ad.fly has been compromised and exploited to link users to a piece of malicious software designed to harvest login details. The attack itself may be considered a man-in-the-middle one since the user’s browser is disposed to seize various credentials. Ad.fly is a URL shortener that displays an ad before the user reaches the final content via the shortened link.

Download a System Scanner, to See If Your System Has Been Affected By HanJuan Exploit Kit.

URL shortening services are often employed by cyber criminals to masquerade malicious links. However, the present malvertising campaign is designed to exploit not the short link but an embedded advertisement within the Ad.fly service. Hence, the malicious advertising happens and the user is redirected to the exploit kit.Trojan-Horse

The HanJuan EK Malvertising Campaign Description

As just mentioned, the attack begins with the exploitation of the Ad.fly service. Basically, the shortener uses interstitial advertising. Interstitials are web pages that are shown to the user before or after he reaches the desired content. Usually, interstitials are controlled by an ad server.

The malvertising redirection system to the exploit kit is quite sophisticated, as indicated by Malwarebytes research. The first four sessions load the interstitial ad via an encoded JavaScript blurb: Once the HanJuan kit is loaded, Flash Player and Internet Explorer are fired before the final payload is dropped onto the hard disk. According to Segura, a senior security researcher at Malwarebytes, the vulnerability exploited in Flash Player is said to be CVE-2015-0359, and the one in IE – CVE-2014-1776. Each can be employed, depending on the user’s profile. Furthermore, the payload most likely contains various layers of encryption – both in the binary itself and the C&C communications, making the whole malicious campaign a tad more complex.

Login Details Theft

As with most malicious campaigns of the scale, the final goal is the stealing of sensitive information.
The malicious interstitial ad is loaded via an encoded JavaScript. Moreover, the final URL is embarked via CORS – Cross Origin Resource Sharing. CORS is defined as a mechanism that permits restricted resources on a web page such as JavaScript to be demanded by an outside domain, different from the original one.

Another version of the Tinba Trojan

According to the Dutch security company Fox-IT, the threat is yet another variant of the Tinba banking Trojan also known as Tiny Banker and Trojan.Tinba.B. Tinba was detected by Symantec back in September 2014. Its threat level was considered low, its primary purpose being the theft of banking credentials.

Another malicious campaign associated with HanJuan EK was detected in March this year. Any user who had visited the New York Daily website, Metacafe and several other less popular ones, could have been compromised by a malvertising campaign redirecting to the HanJuan EK. An Adobe Flash Player vulnerability was similarly exploited.

HanJuan Exploit Kit Detection and Removal

To stay protected against exploit kits, users can follow some security tips such as:

  • Frequently update Java, Adobe products, and Flash.
  • Turn off Java and Flash when not needed.
  • Implement a routine patching program.
  • Sustain a powerful anti-malware solution.

The following security tip goes to business owners:

  • Eliminate or restrict admin-level rights for non-expert employees.

To make sure the computer hasn’t been affected by the HanJuan EK, performing a full system scan is recommended. Several removal steps that apply to information stealing Trojans are also provided.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove HanJuan Exploit Kit
2. Remove HanJuan Exploit Kit automatically with Spy Hunter Malware - Removal Tool.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.