Shortener Exploited for Malvertising. HanJuan Exploit Kit Loaded - How to, Technology and PC Security Forum |
THREAT REMOVAL Shortener Exploited for Malvertising. HanJuan Exploit Kit Loaded

Another malvertising campaign has been detected, redirecting users to the HanJuan exploit kit (EK) also known as Timba Trojan and Fobber. An advertising service – has been compromised and exploited to link users to a piece of malicious software designed to harvest login details. The attack itself may be considered a man-in-the-middle one since the user’s browser is disposed to seize various credentials. is a URL shortener that displays an ad before the user reaches the final content via the shortened link.

Download a System Scanner, to See If Your System Has Been Affected By HanJuan Exploit Kit.

URL shortening services are often employed by cyber criminals to masquerade malicious links. However, the present malvertising campaign is designed to exploit not the short link but an embedded advertisement within the service. Hence, the malicious advertising happens and the user is redirected to the exploit kit.Trojan-Horse

The HanJuan EK Malvertising Campaign Description

As just mentioned, the attack begins with the exploitation of the service. Basically, the shortener uses interstitial advertising. Interstitials are web pages that are shown to the user before or after he reaches the desired content. Usually, interstitials are controlled by an ad server.

The malvertising redirection system to the exploit kit is quite sophisticated, as indicated by Malwarebytes research. The first four sessions load the interstitial ad via an encoded JavaScript blurb: Once the HanJuan kit is loaded, Flash Player and Internet Explorer are fired before the final payload is dropped onto the hard disk. According to Segura, a senior security researcher at Malwarebytes, the vulnerability exploited in Flash Player is said to be CVE-2015-0359, and the one in IE – CVE-2014-1776. Each can be employed, depending on the user’s profile. Furthermore, the payload most likely contains various layers of encryption – both in the binary itself and the C&C communications, making the whole malicious campaign a tad more complex.

Login Details Theft

As with most malicious campaigns of the scale, the final goal is the stealing of sensitive information.
The malicious interstitial ad is loaded via an encoded JavaScript. Moreover, the final URL is embarked via CORS – Cross Origin Resource Sharing. CORS is defined as a mechanism that permits restricted resources on a web page such as JavaScript to be demanded by an outside domain, different from the original one.

Another version of the Tinba Trojan

According to the Dutch security company Fox-IT, the threat is yet another variant of the Tinba banking Trojan also known as Tiny Banker and Trojan.Tinba.B. Tinba was detected by Symantec back in September 2014. Its threat level was considered low, its primary purpose being the theft of banking credentials.

Another malicious campaign associated with HanJuan EK was detected in March this year. Any user who had visited the New York Daily website, Metacafe and several other less popular ones, could have been compromised by a malvertising campaign redirecting to the HanJuan EK. An Adobe Flash Player vulnerability was similarly exploited.

HanJuan Exploit Kit Detection and Removal

To stay protected against exploit kits, users can follow some security tips such as:

  • Frequently update Java, Adobe products, and Flash.
  • Turn off Java and Flash when not needed.
  • Implement a routine patching program.
  • Sustain a powerful anti-malware solution.

The following security tip goes to business owners:

  • Eliminate or restrict admin-level rights for non-expert employees.

To make sure the computer hasn’t been affected by the HanJuan EK, performing a full system scan is recommended. Several removal steps that apply to information stealing Trojans are also provided.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove HanJuan Exploit Kit

1. Start Your PC in Safe Mode to Remove HanJuan Exploit Kit.

1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
2. Select one of the two options provided below:

For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.

For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.

3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account

While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.

2. Remove HanJuan Exploit Kit automatically with Spy Hunter Malware - Removal Tool.

2. Remove HanJuan Exploit Kit automatically with Spy Hunter Malware – Removal Tool.

To clean your computer with the award-winning software Spy Hunter – donload_now_140
It is highly recommended to run a system scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share