Malvertising Campaign Highlights Importance of Patching Browsers

The importance of ensuring browsers and plugins are kept up to date has been highlighted by the discovery of a malverstising campaign that is targeting readers of popular news websites such as Yahoo and MSN.

In the past two months, millions of individuals have been exposed to malicious adverts which automatically redirect users to websites where malware is downloaded.

The campaign – termed Stegano – is being used to distribute a range of malware and spyware including keystroke loggers and Trojans. The aim of the attackers is to capture email login credentials and other sensitive information that can be used for further attacks.

The campaign uses a technique called steganography – The hiding of messages (or code) inside images. In this case, malicious scripts are embedded in the code that controls the transparency of images displayed by third party advertising networks on popular websites.

The inclusion of the code changes the appearance of the banner images making them appear slightly pixelated, although the change is hardly noticeable to an untrained eye. Unlike other malvertising campaigns that require the user to click on the advert in order to be redirected to a malicious website hosting an exploit kit, this campaign redirects the user automatically.

The campaign is highly targeted to prevent discovery by security researchers. Checks are performed to prevent Stegano from running in a virtual environments or sandboxes, and scans are performed to assess the security software used to protect each device.

The campaign is being used to target individuals using Internet Explorer with unpatched Adobe Flash versions containing one of three vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117).

The ad banners – which display images of security products such as ‘Browser Defense’ and ‘Broxu’ – will only be displayed if Stegano determines that it is not under surveillance and if the vulnerabilities exist.

The banner ads contain a 1-pixel iframe containing malicious code. The pixel is displayed off screen to avoid detection and will redirect the user to a website hosting an exploit kit where malware will be silently downloaded. The campaign is currently being used to distribute keystroke loggers from the Ursnif family, Ramnit malware. The former can steal any information from an infected computer, including keystrokes and files. However, an infected computer could also by compromised by other malicious payloads such as backdoors which give the attackers access to the device.

Organizations can protect themselves against attack by ensuring the latest version of IE is installed and ensuring that plugins and browsers are patched promptly.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.