A recent report published by the researcher of the security vendor Malwarebytes suggests that the cyber criminals are exploiting a number of websites, including The Times of Israel, The Jerusalem Post and the Last.fm music streaming website, to serve malicious advertisements designed to spread the recently identified Zemot malware.
Malvertising is not any new tactic used by cybercriminals, but Jerome Segura, a senior security researcher with Malwarebytes, wrote in a blog post that his company "rarely see attacks on a large scale like this."
"It was active but not too visible for a number of weeks until we started seeing popular sites getting flagged in our honeypots," Segura wrote. "That's when we thought, something is going on."
The first impressions came in late August, and by now millions of computers have likely been exposed to Zemot, although only those with outdated antivirus protection were actually infected.
According to Segura, the malicious advertisements lead users to websites containing Nuclear exploit kit, which looks for an unpatched version of Adobe Flash Player or Internet Explorer running on victim's system. If found one, it downloads the Zemot malware, which then communicate it to a remote server and downloads a wave of other malicious applications.
However, by the time the malware was spotted, millions of computer machines may already have been exposed to Zemot, the researcher said, but at the mean time he also added that only those users with out-of-date antivirus software protection were actually infected by the malware.
The Zemot malware was identified by Microsoft earlier this month. According to Microsoft, Zemot is usually distributed not only by the Nuclear exploit kit but also by the Magnitude exploit kit and spambot malware Kuluoz. The malware focuses on computers running Windows XP, although it can also infect more modern operating systems running on x86 and 64 bit machines.
The malware can easily bypass the security softwares installed in the system before infecting computers with additional malware, therefore it is difficult to identify the attack it poses on a system.
A Google representative has confirmed the breach, and said that the team was aware of the breach and has since shut down all the affected servers which were redirecting malicious code, and have disabled the ads that delivered malware to user's computers, reported The Verge.