An exploit kit called Stegano is infecting select machines via malicious banner ads that, by conservative estimates, have been viewed by over a million users in just the last two months.
According to researchers at ESET, who disclosed the campaign today in a blog post and Q&A article, the malicious ads are difficult for security researchers to detect in part because the Stegano script is craftily hidden amongst coded parameters that govern the transparency of pixels in the ads. In other words, “there are advertising banners with ‘poisoned pixels' leading to a new exploit kit, intended to enable the bad guys to remotely install malware onto victims' computers,” said Robert Lipovsky, a senior malware researcher at ESET and the subject of the online Q&A. Such malware has typically included Gozi (aka Ursnif), a data-stealing spyware program, and Ramnit, a banking Trojan.
This particular form of steganography – the practice of hiding code inside images – slightly alters the original ad's appearance, changing its color tone and making it appear more pixilated than a clean version. But the difference is very subtle and not easily noticeable to ordinary users, who do not even have to click on the malicious ads to be victimised.
This not the first time an exploit kit has relied on steganography for reasons of stealth. In July, researchers at Proofpoint reported a malvertising campaign dubbed AdGholas that also used this technique, recruiting as many as one million client machines on a daily basis to infect victims with malware via the Angler and Neutrino exploit kits.
Sherrod DeGrippo, director of emerging threats for Proofpoint, told SC Media via email today that “the campaign described in ESET's post is the work of the same actor group we named AdGholas,” and that Stegano is a newly enhanced form of the Astrium exploit kit that was discovered in 2014.
Compared to past efforts involving Angler and Neutrino, Stegano has been even more successful in sneaking its malicious banners onto credible websites, according to ESET, which reported finding major domains – including popular news websites visited by millions of people on a daily basis – hosting these booby-trapped advertisements. During the campaign, the advertisements were either promoting a privacy software product called “Browser Defence” or an image-capturing software named “Broxu.”
Not everyone who sees these ads are infected, however. Similar to the AdGholas campaign, Stegano picks and chooses its victims carefully. In this case, those who don't fit the ideal profile for infection are simply served a clean ad.
“…The malicious version of the ad is served only to a specific target group, selected by the attackers' server. The decision-making logic behind the choice of target is unknown and this helps the bad guys to go further in dodging suspicion on the advertising platforms' side,” said Lipovsky.
The malware further refines its list of victims by using an Internet Explorer vulnerability (CVE-2016-0162) to verify that it is not running in a sandbox or virtualised environment – the kind a security researcher might set up in order to monitor and analyse a malware infection.
If Stegano determines it is not under surveillance, it then creates a tiny, one-pixel iframe – off-screen so that it's not visible – and redirects the user to its landing page via said iframe. Next, the landing page loads a file capable of exploiting three different Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), choosing the one that corresponds to the version of Flash found on the victim's system.
The machine is exposed to one additional security check – this time looking for security products that could expose the attack – before the final payload is downloaded from the attacker's server in the guise of a GIF image.