Novel malvertising attack leads to drive-by ransomware

A new malvertising attack, constructed around the Magnitude exploit kit, is using a novel technique to push users to sites where they can be attacked with a drive-by download.

Novel malvertising attack leads to drive-by ransomware
Novel malvertising attack leads to drive-by ransomware

Zscaler researchers explained on its blog that it has seen a large number of sites, dressed up as search engines, that lead to malicious content including sites hosting the Magnitude Exploit Kit.

The biggest offender, it said, comes from click2.systemaffiliate.com operated by ad network Sunlight Media, and Zscaler provides many examples to back up its claim.

The Malvertising networks lead to redirector domains which send the user on to the target site using 302 cushioning, a new technique for redirecting traffic to avoid intruder detection and prevention systems.

At the target site, Magnitude delivers both a malicious Flash payload and a highly obfuscated JavaScript payload using the MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow exploit.

In another new development, according to Zscaler, the attackers are postponing delivery of the malware payload in favour of serving a shellcode payload instead. The shellcode uses urlmon.dll to fetch a list of predefined URLs, one of which delivers CryptoWall 3.0.  

Zscaler described it as a “highly profitable ransomware payload”. The perpetrators demand payment in Bitcoins via the Tor Anonymiser.

“Threat actors utilise this method of collection because it can't be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures,” a spokesperson for Zscaler commented.

Wim Remes, manager of strategic security services, Rapid7, told SCMagazineUK.com that the use of the 302 redirect message to circumvent IPS/IDS and other security technology is a novel development on an old attack method. “The direct threat is that adversaries are able to leverage this technology to compromise organisations and deliver crypto-locking malware at scale while detection technologies will not pick the threat up,” he said.

While end-users could try to filter out all advertisements or lock down their content filtering, he suggested more sophisticated solutions may be required. “The best way to address this type of threat is to focus on detective controls and identifying abnormal traffic or anomalous behaviour on the end points. Furthermore, limiting the impact of an eventual compromise can only be done by having a sound incident response plan that allows you to quickly contain the threat.”

Dave Ashton at security testing company Sec-1 commented: “Ransomware has been proven to be profitable to criminals. Add this to the fact that malvertising is an effective method of hitting a large and varied number of potential victims and it's unsurprising that they are continuing to utilise these tactics.”

Sec-1 has followed the trends in Ransomware for two decades, noting that as it has matured, it has been packaged into toolkits which allow for the chaining of exploits and use of evasion tactics.

“This 302 'cushioning' – what seems to be essentially 302 redirects over iframes – is a new technique, and when coupled with domain shadowing, also used by this toolkit, can lead to an effective compromise of a target,” he told SC.