Several security researchers pointed out that there is a large-scale malware Master134 Ad Campaign that is being directed against users worldwide. There is no information available about the perpetrators of the crime, it may be a highly experienced hacking group or individual hacker.
Malware Master134 Ad Campaign Focuses on Worldwide Delivery
Security researchers are carefully monitoring the activities of most hacking groups and especially phishing tactics. New activity around the Master134 ad campaign has prompted several research groups to investigate the malvertising attacks further. Formerly the ad campaign used only a few key redirect domains attempting to drive the users to malicious sites. The main goal of the malware Master134 ad campaign is to help deliver various virus forms including ransomware.
One of the distinctive characteristics of the Master134 ad campaign is that the hackers may have used hacked or stolen domains that were used by legitimate revenue-generating networks. This means that the hackers may have easily been able to gather many visitors. Many of the malicious domains appear to be registered with information pointing to legitimate sites. The referring to legitimate sites has made it possible for the hacker operators to bypass most common blacklists and firewalls. Soon after the pages were found to be malicious they started to be blocked. The ongoing campaign is described as widespread and targeting users across all continents.
The discovered sites appear to lead to these two behavior patterns:
- Traffic Redirect — Upon clicking on a site that is part of the advertising network the victims will be redirected to another custom site as configured by the hackers. This can be used to drive traffic to certain domains in return for payment (Black SEO) or to infect the users with scripts such as miners or to download viruses like ransomware and Trojans. This is a very dangerous type of infection as malware code can be executed in the background.
- Exploit Kit Downloads — The malicious site can drive the victims into downloading infected content. This can include exploit kit-made carriers of ransomware viruses or Trojans. They can be spread using files,as well as emails, and they can take various forms. Popular ones include the creation of documents across of their popular types (spreadsheets, presentations, databases and text files) and installers of popular software.
At this moment there is no information available about the perpetrators of the malvertising campaign. We anticipate that future campaign might change tactics in order to accommodate other behavior tactics.