A malvertising network that has been operating since at least May has been able to place malicious ads on a number of high-profile sites, including Amazon and YouTube and serves a unique piece of malware to each victim.
The network, dubbed Kyle and Stan by the Cisco researchers who analyzed its activities and reach, comprises more than 700 domains and nearly 10,000 users have hit these domains and been exposed to the malicious advertisements. Malvertising networks are not a new phenomenon, but they’re an effective means for spreading malware to potentially huge numbers of people. These operations typically involve attackers placing advertisements containing malicious code on various Web sites. Sometimes victims will need to click on the ads in order to trigger the attack, but in other cases the ad will dynamizally redirect the victim to a separate domain. Once the victim lands on the remote domain, the site delivers the malware to victim’s machine.
Many high-profile sites have been the victims of malvertising operations in recent years, including the New York Times. What’s interesting about the Kyle and Stan malvertising network is that not only does it compile and deliver a unique piece of malware for each victim, but it also has separate versions for Windows and OS X machines, the researchers said.
“Once the victim gets redirected to the final URL, the website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike,” Armin Pelkmann of Cisco wrote in an analysis of the attack.
Pelkmann said that the true size of the network is likely much larger than the 700-plus domains that the researchers identified. All of the domains they discovered are hosted by Amazon and Pelkmann said there seem to be certain domains involved in the network that are strictly for redirection and others that serve only as landing pages. Once the attack succeeds in placing the malware on a victim’s machine, the real operation begins. In the case of the Mac malware, it installs a benign media player and a browser hijacker that remains persistent on the machine.
The Windows version of the attack uses a dropper and installes a bundle of spyware and adware.
“Upon further analysis of the Windows sample, it became clear that we found an adware/spyware dropper that has an interesting way of retrieving its various payloads through a GET request. The dropper is a 32 bit executable written in C++,” Pelkmann said.
The Kyle and Stan malvertising network is just one of many operating at any given time, and the Cisco researchers said that the network’s ability to provide unique pieces of malware to each victim, along with the large number of domains, is helping to keep it from being detected more broadly.
“The large number of domains allows the attackers to use a certain domain just for a very short time, burn it and move on to use another one for future attacks. This helps avoiding reputation and blacklist based security solutions. All in all we are facing a very robust and well-engineered malware delivery network that won’t be taken down until the minds behind this are identified,” Pelkmann said.
