This article originally appeared in Information Security Buzz on November 14, 2018.
The HookAds Malvertising campaign is on the loose again and is downloading various malware through the Fallout Exploit kit.
Mike Bittner, Digital Security & Operations Manager at The Media Trust:
“Bad actors behind the HookAds campaign appear to be switching their tactics and adding more weapons to their arsenal to make a clean sweep of their targets. It appears they have joined forces with distributors of Danabot, a banking trojan, either as part of a larger North American Danabot campaign that splits profits among various bad actors or as a renter of the malware. Other DanaBot campaigns in the region involved the use of eFax digital faxes. The Hook Ads malicious campaign makes use of an earlier campaign’s tactics: compromising adult websites and using an extensive network of rogue ad domains masquerading as legitimate advertising platforms. Two years ago, the campaign fed traffic into the RIG exploit, this year, it feeds traffic to the Fallout exploit kit. The tactical switch was likely done to target users who are less likely to update or patch legacy desktops used to conduct a wide array of personal transactions online, such as paying bills, shopping, etc. These machines likely store a lot of personal, sensitive information, so taking over them would give bad actors access to all of it. But to ensure they are able to scrape as much information as they can, they have also used Nocturnal Stealer to obtain passwords and information from Chrome and Firefox browsers, as well as rob cryptocurrency wallets.”