We estimate that at least one million visitors to adult websites were exposed to this particular campaign.
Adult traffic is funneled to one of several decoy adult websites where an -iframe- to adult banner is injected dynamically.
Conclusion: The Hook Ads malvertising campaign is -still- running at the time of writing this post, with new rogue ad domains getting registered each day. Best Regards, Berry Rutledge 2 November 2016: last_transactions_fb079ee.zip: Extracts to: last_transactions_2EA31C0_PDF Current Virus total detections 9/54*.
We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit..." IOCs IPs: Date: Wed 02/11/2016 Subject: Transactions Attachment: last_transactions_fb079Hi [redacted] [random name]called me yesterday updating about the transactions on company’s account from last month. Manual analysis of the vbs shows a download of a file from one of these locations: http ://bddja .com/p0u44p8z | http ://akira-sushi34 .ru/przgzq | http ://3rock .ie/qdq1fv4c http ://cokealong .com/0l609 | http ://fiveclean .com/14msj3 which is and autorun (Virus Total 7/55**).
Best Regards, Chandra Frye The name of the sender will vary. If I get hold of the C2s or other download locations then I will post them here." * https:// Id=100 UPDATE: My usual reliable source tells me that these are all the download locations...All of these domains have been registered with the intention of looking like advertising platforms.While some domains were used for long periods of time, most switched every day or so to let a new one in: use Do SWF)...The same vulnerability has been shared with both Microsoft and Adobe on October 21st, as it also affected Flash Player.But while Adobe has already pushed out an update with the patch, Microsoft has not been so quick. - https://blog.malwarebytes.com/cyberc...sing-campaign/ Nov 1, 2016 - "...The sending IP was (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously..." * https://virustotal.com/en/file/8e365...8347/analysis/ ** https://malwr.com/analysis/Njli ZDdm Z..Mjk1NGEz Zj Q/ Hosts (Virus Total 10/56***) Payload Security   Dynamoos blog gives details of a slightly different email delivering the same word docs & malware payload...Screenshot: https://3blogspot.com/-Dtzf LWMDT...Attached is a Word document (in this case Internal_Fax) which has a pretty low detection rate at Virus Total of 5/54*.Both the Malwr report** and Hybrid Analysis*** give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of: www .tessaban .com/img/safafaasfasdddd This is a -hacked- legitimate website.The basic rule is NEVER open any attachment to an email, unless you are expecting it...." * https:// ** https://malwr.com/analysis/ZTI2Zj M1O...g4YWQx Yz M2Mzc/ Hosts ... 1 November 2016: SIPUS16-953639.zip: Extracts to: INV_NO_79980148 (Virus Total 12/56***).an email with the subject of 'Your Invoice: SIPUS16-953639' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with SIPUS16 ... Same malware and delivery method as this earlier malspam run using fake invoices...