The HookAds malvertising campaign is a campaign that buys cheap ad space on low quality ad networks that are typically used by adult sites, blackhat SEO sites, and online games. The ads will redirect users through a series of decoy sites that resemble pages filled with ads, games, or other low-quality pages. For the attacker, if all goes as planned, the user will end up loading the Fallout exploit kit. Once Fallout is activated, it will make an attempt to exploit any vulnerabilities in Windows to install various malware which include the Danabot Trojan, GlobeImposter ransomware, and the Nocturnal information stealer. For users running Internet Explorer, Fallout will make an attempt to exploit the Windows VBScript vulnerability (CVE-2018-8174) to install the payload.
Analyst Notes
Users are advised to be cautious when visiting unfamiliar sites. It’s always a good idea to avoid clicking on any ads. The Fallout exploit kit relies on CVE-2018-8174 which was patched by Microsoft in May 2018. For any user running Internet Explorer, they are advised to run Windows update, or, at the very least download the specific patch for their version of Windows from the Microsoft MSRC website (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174). If the user fails to install the latest version of Internet Explorer, they could be putting themselves at a high risk.
