Cyber Incident Victim: Asia Times
Date:
Sep 2014
Location:
Israel
Summary
A malvertising campaign targeted a major online newspaper, redirecting visitors through a chain of malicious URLs involving compromised ad services to deliver exploit kits including Nuclear and potentially Fiesta. The attack leveraged obfuscated scripts and exploited vulnerabilities in Flash, PDF, and Internet Explorer to deploy the Zemot Trojan, which communicated with command-and-control servers such as warzine.su and wildkit.su. The malicious infrastructure mimicked legitimate services like Google Ad services and Amazon Web Services to evade detection. The incident impacted multiple high-traffic news platforms, leading to unauthorized payload execution on user systems. Security researchers identified and blocked the exploit chain, notifying the affected organization to mitigate the threat.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 18, 2014, cybersecurity researchers identified a malvertising campaign impacting The Times of Israel and The Jerusalem Post, two prominent online news platforms. The attack originated from malicious advertisements injected into the newspapers' digital advertising networks, leveraging third-party services including Google Tag Services and DoubleClick ad delivery infrastructure. Visitors accessing specific article pages, such as a Lady Gaga-themed post on The Times of Israel, were subjected to a multi-stage redirection chain. This chain routed users through domains like static.the-button.com and amazon.wiab-service.se—the latter mimicking Amazon Web Services—before reaching attacker-controlled servers at oppieposmedism.uni.me. These servers hosted exploit kit components targeting vulnerabilities in Adobe Flash, PDF readers, and Internet Explorer, with both the Nuclear and Fiesta exploit kits observed in the attack chain. Malwarebytes Anti-Exploit successfully intercepted the exploitation attempts during analysis.
The final payload delivered was identified as the Zemot Trojan (detected as Trojan.Agent.BPEN), which established communication with command-and-control servers at warzine.su and wildkit.su. Additional suspicious domains included pubads.g.doubleclick.net, which facilitated initial ad delivery, and domainsfullkolls.biz—a domain with unclear operational ties to the exploit kits. The campaign utilized geobalancing techniques via amazon.wiab-service.se/geobalancer/geo2.php to optimize malicious traffic routing. Researchers confirmed The Jerusalem Post was similarly compromised after initial findings focused on The Times of Israel, which attracted approximately 12 million monthly visitors primarily from the United States. Malwarebytes Labs notified both media organizations of the ongoing malvertising activity to facilitate mitigation. Impact analysis indicated successful infections would have enabled remote system control by attackers, though specific victim statistics or operational disruptions to the newspapers were not disclosed in available reports.