Millions exposed to malvertising that hid attack code in banner pixels
A single pixel is enough to compromise your PC. Million peoples visiting the mainstream website may have been infected with malicious ads banner that embed attack code in individual pixels.A recent report by Security affairs says that Researchers from the security firm ESET dubbed the “Stegano” malvertising campaign despite it dated back to 2014. Since October, its stealthy operator started displaying the ads on many highly reputable news site, that has millions of daily visitors.
According to a report by arstechnica, the stegano hides part of its malicious code in parameters controlling the transparency of pixel used to display banner ads. With this attack code the color or tone of the images changes slightly, these changes are almost invisible to the naked eyes. According to the company, millions of daily visitors are exposed to this campaign.
“The malicious graphics version has a script concealed in alpha channel, that defines the transparency of pixels; Making it so difficult for even sharp-eyed ad network to differentiate it from the clean version.” Revealed by the report.
Left: Clean picture; Middle: Picture with malicious content; Right: Malicious version enhanced for illustrative purposes. (Image Source: arstechnica)
Researchers discovered that the code verifies whether the targeted browser is on a real machine or in a virtual environment. After verifying the real environment and other software that are mostly used to detect the attacks, The script redirects the browser to a site that hosts three exploits for Adobe Flash Vulnerabilities.
“We can say that even some of the major exploits kits, like Angler and Neutrino, are outclassed by the Stegano kit in term of referrals -the website onto which they managed to get the malicious banners installed. “ continuing the analysis ESET researcher says that “We have observed major domain, including news websites visited by millions of people every day, acting as ‘referrers’ hosting these advertisements. Upon hitting the advertisement slot, the browser will display an ordinary-looking banner to the observer. There is, however, a lot more to it than advertising.”
The ads promote themselves as “Browser Defense” and “Broxu” and targeting users who visited the news sites using the Internet Explorer. Script checked for the presence of sandboxing, packet capture and virtualization software and variety of security products. A machine that didn’t have this software and have the vulnerable Flash version are redirected to the exploit site. Which may serve one of two families of malware i.e. Ursnif Family and Ramnit Variety of Malware. The Ursnif Family mainly made of four modules: stealing e-mail credential, keystroke logging and taking the snapshot and videos, acting as a backdoor. The Ramnit variety of malware offers the same capabilities and mainly targets the banking sectors.
The ESET report didn’t identify any exploited site that delivered the malicious ads but they disclosed that the people exposed were concentrated in Canada, UK, Spain, Italy and Australia, that are served by the affected ad network. The earlier version of the campaign from 2014 and 2015 targeted the people in Netherlands and the Czech Republic. The exploited Flash vulnerabilities included CVE-2015-8641, CVE-2016-4117, and CVE-2016-1019.
In order to avoid being victims of Stegano kit, and any other known exploit kit, users should use up-to-date software and security solutions and more importantly get themselves aware about the latest security threats that may comprise their privacy and data.
You may also Like: List of Best Steganography Tools
For a More In-Depth Analysis of the malware refer this.