Several major porn websites have become conduits for malvertising and are being used to distribute the Ramnit trojan in the UK and Canada.
The adult websites in question have significant traffic (several million monthly visits each), according to Malwarebytes lead malware intelligence analyst Jérôme Segura. Malicious actors were using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users to the RIG exploit kit, which in turn delivers the Ramnit payload.
Ramnit is an information-stealer (including banking and FTP credentials), which has been around for several years and which has bounced back after a 2015 takedown. IBM X-Force researchers reported last August that the Ramnit Trojan has relaunched, targeting six major banks in the UK.
“After a silent period of about eight months, researchers observed that Ramnit’s operators set up two new live attack servers and a new command-and-control (C&C) server,” wrote IBM researcher Limor Kessem. “They launched an infection campaign in the UK and are spreading new trojan configurations to equip the malware with web injections designed to target personal banking users.”
In the latest malvertising campaign, Segura explained that pop-under ads are usually triggered when a user clicks on an item on the site they are browsing. For instance, clicking on one of the category thumbnails launches the pop-under window behind the main page.
Porn sites are no stranger to being used to target large numbers of victims. This particular campaign abuses the ExoClick ad network, which has taken action to stop the fraudulent advertiser, Segura said.