"Often times cyber criminals will use URL shorteners to disguise malicious links," the blog post explains. "However, in this particular case, it is embedded advertisement within the URL shortener service that leads to the malicious site.Full details at The Inquirer and MalwareBytes.
"It all begins with Adf.ly, which uses interstitial advertising, a technique where adverts are displayed on the page for a few seconds before the user is taken to the actual content."
Following a complex malvertising redirection chain, the HanJuan EK is loaded and fires Flash Player and Internet Explorer exploits before dropping a payload onto disk.
"The payload we collected uses several layers of encryption within the binary itself but also in its communications with its command and control server," added the firm.
Tinba malware updates itself to make removal harder
Posted on Friday, June 26 2015 @ 12:22 CEST by Thomas De Maesschalck
Malwarebytes discovered a new piece of malware named Tinba, this Trojan automatically updates both itself and its command servers to try to stay one step ahead of anti-virus tools. Tinba is spread via "malvertising" campaigns, it uses ads embedded within an URL shortener service to lead users to exploit kit HanJuan EK. The goal of Tinba is to steal user credentials, passwords and other sensitive data.