Malàsmoke gang could infect your PC while you watch porn sites

A cybercrime group named Malàsmoke has been targeting porn sites over the past months with malicious ads redirecting users to exploit kits.

A cybercrime group named Malàsmoke has been targeting porn sites over the past months, it is placing malicious ads on adult-themed websites to redirect users to exploit kits and deliver malware.

According to researchers from Malwarebytes, the gang was abusing practically all adult ad networks, but in the last campaign, they hit for the first time a top publisher.

This time the cybercrime group has managed to place malverts on xHamster, one of the most popular adult video portals with billions of visitors each month.

The malicious ads uses JavaScript code to redirect users from the porn site to a malicious site that was hosting an exploit kit designed to exploit to exploit CVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) issues.

Upon visiting the malicious site with a vulnerable browser, the exploit kit delivers malware such as Smoke Loader, Raccoon Stealer, and ZLoader.

“Then we saw possibly the largest campaign to date on top site xhamster[.]com from a malvertiser we have tracked for well over a year. This threat actor has managed to abuse practically all adult ad networks but this may be the first time they hit a top publisher.” reads the analysis published by Malwarebytes.

“the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on xhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.”

Attacks exploiting exploit kits have declined in recent years due to the improved security of the browsers, most of which have removed both Flash and IE support.

Experts pointed out that the redirection mechanism is more sophisticated than those used in other malvertising campaigns. Threat actors implements some client-side fingerprinting and connectivity checks to avoid VPNs and proxies, in this way they only target legitimate IP addresses.

“Malsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat actors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.” concludes Malwarebytes.

The researchers also published Indicators of compromise (IoCs) for this campaign.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, porn sites)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.