In a 17 November blog post, Trend Micro says criminals are using the FlashPack exploit kit to target corporate users who download apps supported by adverts. The ads secretly infect victims with a range of malware and ransomware, without the users clicking on malicious links or visiting unsafe websites.
Trend has seen attacks being funnelled through three specific malicious domains, with the vast majority of victims so far based in the US.
But a campaign to plant the DOFOIL malware, which Trend says is “currently active in the wild”, has also targeted users in the UK and EMEA region, who make up over 17 percent of known victims.
Trend says DOFOIL is known for capabilities such as connecting to C&C URLs, dropping files and detecting sandboxes.
The company warns: “Ad-enabled free applications pose a serious threat to users and enterprises, as attackers leverage this to distribute threats like ransomware and DOFOIL. This may lead to system infection and possible information and data theft.”
Describing the attack method, Trend senior malware researcher, David Sancho, told SCMagzineUK.com: “The big deal about it is you aren't actually opening your browser and getting infected, or going to pages that might be infectious. Just by using web applications that are free because they are subsidised with ads, you might be being infected.”
Sancho said non-mobile-based apps typically come in free – and dangerous - ad-supported versions, or paid-for ‘professional' versions that contain no ads and present no threat.
Corporations can suggest users avoid free apps and monitor their use, but Sancho points out this doesn't always work.
He told SC: “The corporation can say ‘before you guys go to the internet, do not use these kind of applications, do not use your corporate computers this way and that way'. That's good and nice. It covers the legal bases, but at the end of the day it does not prevent malware.
“What corporations need to do is start looking for all those connections to ‘dodgy advertising network.com' directly and stop them, to catch those malicious connections to C&Cs or ad networks.”
In its blog, Trend says the malicious URL distributing CryptoWall and other ransomware uses the CVE-2014-0515 zero-day exploit that was found affecting Adobe Flash Player in May.
Trend also says the malvertising attacks are continuing to evolve, with new landing domains registered in the last two to three weeks and a new ad-enabled application named Camfrog, which points to DOFOIL
Commenting on the findings, UK-based security expert Ben Densham, CTO at Nettitude, agreed with Trend's warning.
He told SCMagazineUK.com via email: "Ad-enabled free applications will present a serious threat to users and organisations. Malicious users will use these, and many other methods, to tempt users into downloading ransomware, malware and Trojans.”
To combat this, Densham said companies need to “prevent browsers from accessing unauthorised sites, foiling attempts to install or run unexpected code locally and educating website developers about the dangers of using free plugins or apps (especially if they are ad-based) within their corporate websites.”
He added: "This is a serious threat, but not one that can't be managed via existing security controls – if implemented effectively. The interesting aspect here is that new channels of tempting users are being exploited. As long as these remain effective, the bad guys will continue to find and use them."
Meanwhile, a member of the Malwarebytes research team told SCMagazineUK.com via email: “FlashPack is a serious threat, not only to enterprises of all sizes but also to SMBs and home users. Exploits have a high success rate against traditional anti-virus, even enterprise versions, so are increasingly favoured as an attack vector.
“All it takes is a staff member with outdated software to navigate to one of the sites running the malvertising, and it could lead to compromise. Traditional enterprise end-point protection is often not good enough to address this threat.”
Malwarebytes said its data confirms the vast majority of infections from the FlashPack kit are coming through malvertising, and that the US is a popular target.
Trend advises companies to ensure users use only approved web browsers and keep them updated; and to check the security of any third-party software loaded by the browser, such as Java, Flash, WinZip and Adobe Acrobat.
It also advises: “End-users are recommended to be cautious with the applications that they install. Similarly, in the enterprise setting, employees should be educated on what kind of applications can be installed on their desktops.
“If possible, create IT policies (like acceptable usage policies) that could be drafted by their internal governing bodies, such as their InfoSec department.”