Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Malvertisement – A Nuclear EK Tale

Over the past couple of years delivering malware via advertisements, or "malvertisement," has become one of the most popular methods of distribution for exploit kits. Like most trends in the world of Internet security, the longer it endures - the more sophisticated and complex it gets.

Considering the popularity of online advertising as a whole, it's not surprising to see that nearly all active exploit kits use malvertisements as a distribution channel. Nearly all of the exploit kits of significant volume mentioned in the 2015 Trustwave Global Security Report - Rig, Nuclear, Angler and Magnitude - depended quite heavily on malvertisement.

It seems that for cybercriminals it is, as usual, a matter of return on investment. It is cheaper, easier and more reliable to distribute malicious ads via ad networks that place these ads on sites than it is to compromise high-traffic sites in order to infect their visitors.

For the ad networks, however, this is clearly not profitable. In addition to the reputation damage caused by these ad networks' involvement in delivering malware, legitimate websites that display their ads may stop using them as the result of a malvertisement incident.

So how are these malicious ads finding their way into these networks?

Detecting malvertisement campaigns is not an easy task. Even some of the largest ad networks such as Google and AOL were used, in one way or another, to distribute malware in 2015. Regarding larger ad networks, we often see malvertisement campaigns distributed by affiliates, partners or resellers. These companies, presumably with fewer resources than the big players, seem to be the weak link in terms of examining the ads they distribute.

In order to understand the situation these smaller advertisers are in, let's examine a malvertisement campaign distributing the Nuclear Exploit Kit:


The Fiddler session above actually starts one step after what the average user would experience. The first URL is the advertisement itself, which would normally be embedded within a legitimate page. This is because our example was observed on a machine infected with ad fraud malware, which visits ads directly to generate fake ad views. In this scenario, the ad was delivered via the "" advertising company. The ad itself redirects to the site "getyourimesh[.]com," which appears to be a site for a WordPress plugin called "Backup Creator":


Looking at the real Backup Creator site, we see a resemblance:


So the homepage of the "getyourimesh" site consists of stolen content, making it look legitimate. It is worth noting that this homepage doesn't lead to any malicious content, so the ad network has no reason to suspect any wrongdoing.

Looking at the HTML code of main.php on the same site, however, tells a different story:


The real "bad guy" in this example is track.php, which performs checks on the requesting client. If the client's user agent is Internet Explorer, it loads an iframe with Nuclear EK. This particular page is not very sophisticated. We've seen pages that perform more complex checks, but it seems that these are enough to go unnoticed by the advertising networks.

From here, this particular site has fulfilled its duties and the rest of the action occurs on a Nuclear EK domain, a hop away from any advertisement.

In this case, the ad network would only detect this attack by:

  1. Examining each and every URL submitted.
  2. Examining the content loaded by each URL using various user agents (and possibly 3rd party plugins or any other checks a page like track.php would choose to perform).
  3. Examining the type of content loaded by it, probably with a security product.

While ideally we'd all like to see this depth of evaluation, it's obvious why an advertisement network of small-to-medium scale might have trouble fulfilling these requirements.

To close the loop and provide the full flow in our example, the Nuclear EK then exploited the machine using CVE-2015-3090, a vulnerability in Flash Player recently integrated into most Exploit Kits, and this Flash exploit then infected the machine with Cryptowall 3.0:


This is where the story ends.

We should note at this point that we contacted regarding this abuse case and they were quick to respond and investigate.

To give a brief summary of this story: An innocent user browsing the Internet, and not clicking any dodgy links or opening suspicious email attachments, could still find themselves at the mercy of ransomware or other malware.

Our advice to end users is to make sure you keep your OS, browser and any 3rd party plugins up-to-date at all times to prevent the exploit of any vulnerabilities.

Customers of Trustwave Secure Web Gateway are protected against this attack.

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More