Cyber security researchers at ESET have discovered a new exploit kit spreading through the internet via malicious ads on high traffic, reputable websites. ESET’s detection systems show that in the last two months malicious content has been displayed to more than a million users across the world, including Australia.
Cybercriminals have been targeting users of Internet Explorer and scanning their computers for vulnerabilities in Flash Player, with the scheme detected since at least early October 2016. Hackers have been attempting to remotely download and execute various types of malware through the loophole exploits.
These newly identified attacks fall into the category of ‘malvertising’ due to the distribution of their malicious code through advertising campaigns.
Malvertising spreading the Stegano exploit kits
The series of malicious ads redirecting to this exploit kit look to leverage Flash vulnerabilities, and victims may have been infected through malvertising promoting applications such as “Browser Defence” and “Broxu”.
The malicious exploit kit is called “Stegano”, referring to steganography – a technique e-criminals use to hide parts of their malicious code in the pixels of an advertisements’ banner images. These advertising banners contain “poisoned pixels”, enabling the e-criminals to remotely install malware onto victims’ computers. The victim doesn’t even need to click on the malicious ad content; all it takes is to visit a website displaying it. Worse, if the victim’s computer runs a vulnerable version of Flash Player, the machine will be compromised automatically.
Once infected, malware of the cybercriminal’s choice is downloaded on to the victim’s computer and executed. Examples analysed by ESET’s research team include banking Trojans, backdoors and spyware, but victims could end up facing a ransomware attack as well.
“The Stegano exploit kit once again reinforces the necessity of keeping your operating system and application software fully patched and as up-to-date as possible. Aside from only targeting systems using specific web browsers and outdated Flash versions, Stegano expends extensive effort to avoid running on typical security researcher computers, whether virtual, sandbox or a standard “infectible” machine. This is all part of its plan to avoid initial detection and complicate ongoing monitoring and research, thereby increasing the profit for the cybercriminals behind this exploit kit,” says Nick FitzGerald, Senior Research Fellow at ESET.
For this current cybercrime campaign, attackers have improved their tactics significantly by targeting specific countries and by abusing the advertising networks. ESET has observed major domains, including news websites with millions of daily visitors, acting as “referrers” by hosting these advertisements.
How the Stegano Exploit Kit attack works
What to do if infected
- Check if you haven’t been infected by a malware by running a security update and patches.
- Change your login credentials and check for suspicious activity on some of your most sensitive accounts (e.g. fraudulent transactions in your online banking).
- Ensure you have a proper security solution customised to your devices and user habits to prevent attacks.
Recommendations from Nick FitzGerald, Senior Research Fellow, ESET
“As Australian web visitors have been specifically targeted in recent Stegano malvertising campaigns, Australian internet users who are unsure of the automatic patching of their systems should check they have all the latest security patches installed and that their security software is properly updated and configured. Users of security solutions other than ESET’s might wish to get a second opinion from the ESET Online Scanner.”
If you would like more information on this attack, please visit ESET’s blog for a technical deep dive of the attack and an interview with an ESET security researcher.
About ESET
Since 1987, ESET has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
