Header Ads

Millions of users Possibly compromised by Newly Discovered Stegno Malvertising Campaign

Millions of readers have been targeted while visiting their popular websites by a series of malicious ads redirecting to an exploit kit exploiting several Flash vulnerabilities. Since the beginning of October, users might have encountered ads promoting applications called “Browser Defence” and “Broxu” using the following banners:


These advertisement banners were stored on a remote domain with the URL hxxps://browser-defence.com and hxxps://broxu.com.
Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin.
The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel. Since the modification is minor, the final picture’s color tone is only slightly different to that of the clean version:

Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine.
”If the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page, via the TinyURL service. The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim’s system.

Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cybercriminals behind this attack – yet another check to verify that it is not being monitored. If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.
The payload is then decrypted and launched via regsvr32.exe or rundll32.exe. Payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders.

Technical analysis of the Stegano exploit kit:

An earlier variant of this stealthy exploit pack has been hiding in plain sight since 2014 when we spotted it targeting Dutch customers. In spring 2015 the attackers focused on the Czech Republic and now they have shifted their focus onto Canada, Britain, Australia, Spain, India and Italy.
In the earlier campaigns, in an effort to mask as an advertisement, the exploit kit was using domain names starting with “ads*.” and URI names containing watch.flv, media.flv, delivery.flv, player.flv, or mediaplayer.flv.
In the current campaign, they have improved their tactics significantly. It appears that the exploit pack’s targeting of specific countries is a result of the advertising networks the attackers were able to abuse.

We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals – ‘the websites onto which they managed to get the malicious banners installed. We have observed major domains, including news websites visited by millions of people every day, acting as “referrers” hosting these advertisements.
Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer. There is, however, a lot more to it than advertising.

Stegno is effective because it preys on the some of the most common assumptions when it comes to the digital world today: that users don’t need to update their devices; that (some) ad networks don’t need to carefully screen their ads; and that cybersecurity researchers can detect all malware while taking known, standardized precautions to run a “clean” computer for security research purposes. Sometimes these assumptions carry validity, but most of the time they ignore the necessary investments we need to make in online security.

Here are a few tips to protect yourself from sophisticated malvertising campaigns like Stegno.

Stay on top of the latest security measures by following me on Twitter, and ‘Like’ us on Facebook.
Powered by Blogger.