Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Angler Takes Malvertising to New Heights

We have just discovered an advertising campaign that has been placing malicious advertisements on very popular websites both in the US and internationally. "" (Alexa rank 420 Global and 155 in the US), "" (Ranked 986 in the US) and "" (Ranked 4,649 Internationally) are only some of the big names that were recently found redirecting visitors to the Angler exploit kit through a malicious advertising campaign, and though malicious advertising has become part of our daily lives in the world of web security, this story is a little different.

Before we get into the technical details it's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of Malvertising. The only "crime" here is being popular and having high volumes of traffic going through their sites daily.

On the more technical side of things, those of us familiar with the Angler exploit kit know that it never ceases to innovate and come up with new ideas for infecting as many victims as possible. These days we're practically used to the "standard" Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits' landing page. This time it seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes. This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.

In the past few days while going over the telemetry of our products we noticed that several high profile sites were fetching a JSON file which is hosted on "brentsmedia[.]com" as part of their process for pulling advertising content from their ad providers, below is the content of this JSON file containing the next hop in the redirection chain:


Figure 1: JSON including JavaScript

Here is what the banner image for the ad looks like:


Figure 2: New socket wrench, anyone?

This JSON file refers to a suspicious, heavily-obfuscated JavaScript file with more than 12,000 lines of code. Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation:


Figure 3: Programs Enumeration

If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware – double the trouble.


Figure 4: Infection Chain Starting at BrentsMedia

Checking the history of the "brentsmedia[.]com" domain reveals that it expired on January 1st 2016:


Figure 5: Expired on 1/1/2016

… and that it was registered again on March 6th 2016 with a different registrant. The following is a comparison between the old registrant and new one from March:


Figure 6: whois data from January 2016 (left) and March 2016 (right)

A quick check on "" reveals that BrentsMedia was an advertising company selling "online marketing solutions":


Figure 7: BrentsMedia in its old, happy days

According to our telemetry these malicious "ads" were delivered through at least two affiliate networks: adnxs, who responded to us extremely quickly and handled the incident within an hour (!), and taggify whom we contacted but have not heard back from at the time of posting this blog.

BrentsMedia was probably a legitimate business, and though we can't know for sure, it's likely that the people behind this operation are trying to ride on the reputation the domain had and abuse it to trick ad companies into publishing their malicious ads. As for the BrentsMedia site itself, it currently hosts code that behaves like a Traffic Distribution System (TDS), but at the moment it appears to only be "distributing" traffic to Angler EK.

This leaves us with some questions: are the people behind Angler doing this directly, or are they acquiring this from a fellow criminal? Is this a lucky catch for them, or a new trend of "stalking" domains nearing expiration?

We thought we may never learn the answers to these questions, but as we were putting our findings down into this blog post more telemetry came in and we noticed two more expired "media"-related domains exhibiting the same characteristics as brentsmedia[.]com: "envangmedia[.]com" and "markets.shangjiamedia[.]com", and looking up the IP address of brentsmedia shows that another similarly named domain has already been registered to point to this IP address:


Figure 8: VirusTotal DNS data for brentsmedia's IP address

If one was to take a wild guess, one might think that they actually are watching for any domains containing the word "media" that have recently expired…

Whether or not this will turn into a new trend, it's certainly an interesting development in the world of Malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat.

This blog post was co-authored by Daniel Chechik, Simon Kenin and Rami Kogan.

Trustwave Secure Web Gateway protects its customers against this attack and the Angler Exploit Kit in general.

Latest SpiderLabs Blogs

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Physical Address Strangeness in Spam

Ten years ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter state-antispam laws). One of the provisions of the act is...

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More