Ad servers have been used previously as a vehicle to deliver malvertising, but a new iteration has been detected that exploits a hack of a third-party ad server.
Over the past few weeks, a number of adult websites have been detected distributing display side banners promulgated by the malicious code, according to a post by Jérôme Segura, a security researcher at Malwarebytes Lab.
"The conditionally injected script redirects to the Afraidgate campaign, which in turns pushes the Neutrino exploit kit," he wrote. The payload from this Neutrino campaign is Locky (Zepto flavor) and demands 1.5 bitcoin (approximately $939.53).
Visitors to the infected site will see an ad banner on the side. Trouble is, Segura explained, they won't have to click on it for the infection chain to commence and the ransomware to be dropped onto their computer. The ad banner appears only once per IP to make detection by analysts more difficult.