Cisco's Talos & GoDaddy Shut Down Malvertising Campaign

(pc-google images)

Cisco System’s threat research group has detected and deactivated a global malvertising campaign which exposed visitors on legitimate sites to the malicious code Neutrino Exploit Kit.

(pc-google images)

Talos Security Intelligence and Research Group and GoDaddy shut down the malicious server in Russia, which hosted the exploit kit.


Malware was propagated through ad networks such as OpenX and Revive and appeared on many websites. A criminal gang known as Shadowgate bought ads on platforms that enabled them to add JavaScript code to ads. These ads drove users to special servers called ‘gates’ and they would check the user's browser and OS, and if conditions were met, they would be redirected to another landing page where the Neutrino exploit kit would be used to infect a system with malware using flaws in unpatched software detected by the gates.


Cisco researcher Nick Biasini said that about 1,000 of one million visitors may have been exposed to Neutrino EK, which then tried to transfer the CrypMIC ransomware to their computers.


“GoDaddy quickly responded and was able to mitigate the threat successfully. As of the publishing of this blog the associated malvertising campaign appears to have been successfully shut down and the malicious activity thwarted. Unfortunately, as this is using domain shadowing it's likely the campaign will only remain dormant for a while, but until then users are protected from this specific threat,” said Biasani.


Biasini emphasized the seriousness of malvertising campaigns noting that as more content continues to move online the primary revenue source for web sites is online ads.