Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Malvertising Campaign Leading To Zemot

September 19, 2014 - 2 min read

Malvertising has become a serious problem for advertisers and their clients alike. Times of Israel has been affected already by such an attack. During our analysis, we discovered multiple other legitimate websites affected by the same malvertising campaign. We have informed the website owners to take action. Below is a brief timeline of attack.



A legitimate site leveraging zedo advertisements is the first victim in this attack.  The malicious redirect chain goes to zedo[.]com which will redirect the user to static[.]thebutton[.]com/d2.php?ds=true&dr=.  



The Malicious Redirect chain timeline.


The obfuscated url that is being hidden is static[.]the-button[.]com



The next link in the redirection chain goes to a Swedish site.

The redirect chain then leads the victim to inter[.]wiab-service[.]se/geobalancer/geo2.php?acc=[xyz]
&nrk=.  This is the final redirect that takes the user to [xyz][.]uni[.]me/ site where the Exploit Kit (EK) and eventually payload are sent to the victim.




The Obfuscation here is the final link to the Nuclear Exploit Kit.




Part 1: Nuclear Exploit Kit


Part 2: Nuclear Exploit Kit

The whole purpose of this broad attack is to download the final payload which happens to be a variant of Zemot. It gets downloaded via a Kuluoz variant which has been tied to Zemot click fraud activity in the recent days.

Kuluoz/Zemot infection phone home activity.

If you are unfortunate to have visited one of the many sites which have been compromised by this threat, one strong indicator of infection will be the existence of a batch file which matches the below format:


This malvertising campaign has been highly effective thus far and no site, despite its good intentions, appears to be given any quarter.

Zscaler is actively monitoring this threat and notifying any sites of compromise.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.