Magnitude

Magnitude made itself known in October of 2013 when it breached the servers of PHP.net, a popular scripting language development website, and redirected the site’s visitors to its landing page using a compromised JavaScript file. It then exploited vulnerabilities in Java and Flash to deliver malicious payloads like Zeus, Andromeda, Necurs, Zusy, and Ngrbot. Magnitude was later used in an attack against Yahoo and WordPress website users. Magnitude operates as a pay-per-campaign model and its customers are responsible for generating traffic to the kit’s landing pages. The sellers of the Magnitude EK require 5-20% of the user’s malicious traffic in order to turn a profit and stand to make nearly $3 million solely by maintaining infrastructure.

On 29 June 2015, ThreatPost reported that Magnitude included exploits for the recently patched zero-day vulnerability found in Adobe Flash Player and was delivering CryptoWall ransomware to Windows 7 computers running Internet Explorer 11. In 2015, the top victims of Magnitude included the United States, Iran, and Vietnam; however, the success rate varied greatly with the highest success rate being 68% in Vietnam and only a 9% success rate in the US. According to Malwarebytes, in 2016, Magnitude EK has been infecting victims with CryptoWall 4.0 ransomware by exploiting vulnerabilities in older versions of Adobe Flash Player. Magnitude EK is spreading through malvertising on pop-under ads, ads that appear behind the main browser window and remains open until the user manually closes them.

In April, visitors to the Pirate Bay website were infected with Cerber ransomware distributed by the Magnitude EK. During April and May, Angler and Nuclear EK activity significantly decreased, leading to an increase in activity from Magnitude EK, along with Neutrino and RIG EKs.

Reporting

  • June 2016: Magnitude EK activity increases as Angler and Nuclear EKs decrease. (Softpedia)
  • May 2016: Magnitude EK exploiting recently patched Adobe Flash Player vulnerability. (PointB+Beyond)
  • October 2017: Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware. (Trend Micro)

Technical Details

  • FireEye provides additional technical details on the Magnitude EK, available here.
  • More details on the Magnitude EK’s exploitation of the Adobe vulnerability is available from TrendMicro.
One example of the Magnitude EKback-end infrastructure. Image Source: TrendMicro

One example of the Magnitude EKback-end infrastructure. Image Source: TrendMicro