Security firm ESET has reported that millions of users have been exposed to malicious code served from the pixels in compromised banner ads. The end goal of the operation was the installation of Trojans and spyware on targeted systems.
The campaign has been Stegano and has been spreading malicious ads from many reputable news sites. Attackers have been leveraging Internet Explorer, looking for vulnerabilities in Adobe Flash.
More particularly, attackers were using a known Internet Explorer vulnerability, CVE-2016-0162, through which the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine. The encoded script attempts to verify that it is not being run in a monitored environment, researchers say.
If the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page, via the TinyURL service. The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim’s system.
Related: CVE-2016-7855 Flash Bug Exploited in Limited Attacks
The malware installed in these attacks can steal email password credentials with the help of its keylogging and screenshot grabbing features. What’s worse is that the attack is hard to detect. For the infection to take place, attackers were poisoning the pixels used in the ads. More specifically, attackers hid malicious code in the parameters controlling the pixels’ transparency on the banner ad. This is indeed how the campaign went unnoticed by legitimate advertising network.
The exploit scenario is known as the Stegano exploit kit.
An earlier variant of this stealthy exploit pack has been hiding in plain sight since at least late 2014, when we spotted it targeting Dutch customers. In spring 2015 the attackers focused on the Czech Republic and now they have shifted their focus onto Canada, Britain, Australia, Spain and Italy.
In this campaign, criminals have improved their tactics. They were now able to target specific countries thanks to the legitimate networks they were able to compromise.
Researchers even say that Stegano outclasses other major EKs such as Angler and Neutrino in terms of referrals, or the websites where attackers managed to install malicious banners. Researcher have seen some major domains and news websites visited by millions of users daily acting as referrers that host the bad ads.
As for the payloads of the Stegano operation, researchers have observed the following malware being downloaded onto compromised PCs:
- Win32/TrojanDownloader.Agent.CFH
- Win32/TrojanDownloader.Dagozill.B
- Win32/GenKryptik.KUM
- Win32/Kryptik.DLIF
How can users stay protected against the Stegano exploit?
Because the operation relies on known vulnerabilities, users should only run fully patched software. The employment of a powerful internet security solution is also a must.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter