Found on the Mawarebytes blog:
“The same ad network – AdSpirit.de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN.com.
This is the work of the same threat actors that were behind the Yahoo! malvertising”.
“The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers”.
“The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain”.
Infection chain:
msn.com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
lax1.ib.adnxs.com/{redacted} (AppNexus Ad network)
pub.adspirit.de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
trkp-a1009.rhcloud.com/?tr28-0a22 (OpenShift redhat Redirection)
fox23tv.com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
abbezcqerrd.irica.wieshrealclimate.com (iframe to exploit kit)
hapme.viwahcvonline.com (Angler EK landing page)
This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud.com to perform multiple redirections to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure).
The malware payload associated with this campaign is believed to be either Ad fraud or ransomware, Angler’s trademark.
