Labs

The Relationship Between Compromised Ad Servers, Traffic Distribution Systems, and the Angler EK

Today, we are going to look at an intriguing crawl we came across inside of the RiskIQ platform. This example illustrates the relationship between compromised ad servers, traffic distribution systems, and the Angler Exploit Kit (EK).

The initial tip-off was some tell-tale Angler EK activity on photo-supermarket[.]co[.]uk. What's interesting is that we saw two different events fire on this crawl, one for the EK and one for a compromised ad server.

LabsPost_1

As we dig into the alert that fired for the compromised ad server, we can see the malicious iframe injection residing in the grupo-rdr[.]com/owns/superior/min.js file, as illustrated below:

LabsPost_2

As we take a look at the initial ad that was displayed, we can see the injection to the TDS on the OpenX ad server:

LabsPost_3

And lastly, we can see the full sequence of events that occurred to lead us to the exploit kit here:

LabsPost_4

Using this data, analysts can understand how traffic originated to an exploit kit and have the pieces to put together the proverbial puzzle they're tasked with completing.

Learn more about the Angler EK here, and more about shady traffic delivery tactics here, here, and here.

Questions? Feedback? Email research-feedback@riskiq.net to contact our research team.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor