Today, we are going to look at an intriguing crawl we came across inside of the RiskIQ platform. This example illustrates the relationship between compromised ad servers, traffic distribution systems, and the Angler Exploit Kit (EK).

The initial tip-off was some tell-tale Angler EK activity on photo-supermarket[.]co[.]uk. What's interesting is that we saw two different events fire on this crawl, one for the EK and one for a compromised ad server.

As we dig into the alert that fired for the compromised ad server, we can see the malicious iframe injection residing in the grupo-rdr[.]com/owns/superior/min.js file, as illustrated below:

As we take a look at the initial ad that was displayed, we can see the injection to the TDS on the OpenX ad server:

And lastly, we can see the full sequence of events that occurred to lead us to the exploit kit here:

Using this data, analysts can understand how traffic originated to an exploit kit and have the pieces to put together the proverbial puzzle they're tasked with completing.

Learn more about the Angler EK here, and more about shady traffic delivery tactics here, here, and here.

Questions? Feedback? Email research-feedback@riskiq.net to contact our research team.