Angler Malvertising Campaign Hits Top Publishers

During the past few weeks, malvertising activity was a little bit on the decline, at least within our own telemetry. We were mainly seeing the usual suspects pushing a lot of Magnitude EK related infections and the occasional tech support scam.

However, out of the blue on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:

Publisher Traffic (monthly)* 1.3B 313.1M 290.6M 218.6M 102.8M 60.7M 51.1M 43M 31.4M 9.9M

* Numbers pulled from

Rogue domains:

Creation Date: 2016-02-27
Sponsoring Registrar: PDR Ltd. d/b/a
Registrant Organization:
IP address: (CloudFlare)
Domain Name: TALK915.PW
Creation Date: 2016-02-25
Sponsoring Registrar: PDR Ltd. d/b/a
Registrant Name: Rocko Mantas
Registrant Organization: Best Media ltd
IP address: (CloudFlare)

Ad networks/platforms:

    -> Referer:


    -> Referer:{redacted}&{redacted}


    -> Referer:
    -> Referer:{redacted}


The first couple of days before this campaign went big, we observed a few hits on smaller publishers that were pushing the RIG exploit kit:
 -> Referer:

On Sunday, when the attack really expanded, the Angler exploit kit was then used:
 -> Referer:{redacted}&

Angler EK has gone through several changes lately, in its URI patterns but also in the landing page itself. It is also the only one to use a recently patched Silverlight vulnerability.

Malwarebytes Anti-Exploit blocks the malvertising attack when it launches the exploit kit:

Angler_newMarch 15, 2016 | BY

Full Article:

Source: Large Angler Malvertising Campaign Hits Top Publishers | Malwarebytes Labs

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.