The threat landscape is ever changing and adversaries are always working to find more efficient ways to compromise users. One of the many ways that users are driven to malicious content is through malicious advertisements known as malvertising. Talos has been monitoring several large-scale malvertising campaigns, how the initial exploit occur, and the payloads that are downloaded as a result.
In a normal ad campaign, ad agencies buy ad space on publications and other trafficked websites, and the ad agency then tries to get those ads served to users that fit some criteria in the hopes that users click on the ads, which take the user to (for example) a product page. The aggregate of serving ads for a particular product is referred to as a ‘campaign.’ A malvertising campaign is similar. Ad space is purchased from an agency, users satisfying particular criteria are targeted. It may be that the content of the mal-ad itself can infect a user’s computer, or it may be that a user who clicks on the enticing mal-ad is taken somewhere which then infects the user’s computer. The initial infection will often download another payload.