Recent malvertising campaigns have been noticed and they have been taking users from wherever they are in the world to the landing page of the Neutrino exploit kit, according to the Cisco Talos researchers. The malvertising ads comprised of malicious ads and an initial redirection of point and gate, and an exploit kit was also used to infect users with the malware responsible.
Cisco revealed that in all the campaigns which were done, the redirection part of it was done by the Shadow Gate, so called because of its use of the domain shadowing which is then used to host the malicious activity.
The gate has been under supervision from when it was first revealed back in 2015 and there were some striking features to it. The gate is noted more for its ability to lead to small fractions of infection rather than the high volumes of traffic that it has been registering.
Another pf the gate’s striking peculiarities is that it goes dark for some periods of time before it eventually continues and then redirects users to the exploit kits. The gate’s traffic is not bound to Neutrino because it initially redirects to Angler, according to Cisco. ShadowGate has made use of several domains this past year, but it has been used sparingly over the last month.
The researchers also said that the gate is not as sophisticated as it would look. They noted that an iframe was set to be rendered several feet to the left and to the right of the screen. Once a victim is there, the EK page will check if there is Flash installed and if it is, then a flash malware will then be installed. Therefore if there is no Adobe Flash Player on the device, there will be no infection.
One of the malware strains that was discovered was reported to have been used on a website that was related to precious metals. The site’s name is goldseek.com. It contained the iframe that has been noted to be typical to the campaign. After further analysis, it was highlighted that there had been some Chinese sites which were also targeted which were related to Information Technology.
Cisco said that there have been rare cases whereby they will find examples of Chines sites hosting malicious ads and also serving up exploit kit gates which would in turn compromise users. Other Chinese and New Zealand sites were also reported to have been affected. The research also noticed that sites from Saudi Arabia and other Middle Eastern countries had also been impacted.
Next the website was noticed on US websites, Polish forum used by bicycle enthusiasts, and a Canadian large city website. Other pages which were affected are for guns, smoking and adult material. Thankfully the researchers managed to mitigate the threat in partnership with GoDaddy, the registrant which hosts the ShadowGate domain.