Malvertising Campaigns Skirt Ad Blockers, Serve Up Mac Malware

malvertising campaign mac user rig ek

The RIG exploit kit and Safari redirects are both in the adversaries’ bag of tricks.

Two fresh malvertising campaigns are making the scene that are abusing the convoluted underpinnings of the internet economy to find malware victims. One is a large-scale exploit kit (EK) campaign designed to circumvent traditional safeguards, such as ad blockers, and the other uses web redirects to target Mac users.

According to Cisco Talos, a RIG EK campaign is spreading via an infected toolbar that is downloaded during a bundled software installation. In the other campaign, Cisco discovered a website redirecting Safari browsers to a domain delivering a malicious Flash Player installer.

“[Internet] advertising…is a highly complex and convoluted system that is ripe for abuse,” researchers said in a writeup on Wednesday. “This is an issue that should not be ignored by the public, as these malicious ads can deliver malware out of nowhere and trick traditional internet users who may not be aware of the threats that exist on some pages.”

In the current RIG EK campaign, the adversaries are preying upon people looking for online security software.

“A quick web search can result in a wide variety of results, from the legitimate and expensive to the quasi-legitimate and free,” Talos researchers explained. “One of those results could lead to a site like USB Guardian. USB Guardian claims to be software designed to prevent you from getting infected with a worm and scans USB devices.”

However, all is not what it seems. When a user downloads USB Guardian, a toolbar ironically called “Best Security Tips” will also be installed. The toolbar is the source of the malicious activity.

Talos researchers said that the toolbar initiates a series of web requests immediately after installation. The first request is to an ad network called “daily ads.”

“The toolbar will change the browser homepage and default search engine, allowing adversaries to change search results and other activities to promote click fraud and excessive advertising, which can lead to more damaging results including malware infection,” according to Talos. “These changes allow the ad networks to push content onto end systems with higher efficacy.”

Eventually, a get request is delivered to ww7.dailyads[.]org, which contains a header called “X-Adblock-Key.” This header includes an API key that allows daily ads to bypass one of the most popular ad blockers, Talos discovered.

“In many cases, this ad blocker is the only thing preventing a user from being shown a malicious ad, Talos noted. “So the presence of this key implies that at least one of the biggest ad blockers would not have stopped these ads from rendering to the user. Eventually, the user will end up [on a RIG EK page]…and eventually will be served a patched Adobe Flash or Internet Explorer vulnerability to deliver some sort of malicious payload.”

So far, the effort has hit a wide variety of different sites in various different verticals from news to design, music, racing and popular culture. Talos said that has observed sites with malicious ads ranging as high as in the top 5,000 websites, per Alexa.

Malvertising is an attractive attack vector for EK users, mainly because it offers a large potential victim pool compared to other avenues. When leveraging a compromised website to deliver exploits, the victim pool is confined to only people navigating to that website. In contrast, with malvertising, attackers can hit a much larger array of different victims in different locations.

For instance, Talos has found evidence of ways that sites in the top 100 on Alexa have been indirectly linked to this malvertising campaign.

“These often start with sponsored content, links typically displayed on various high-ranking web pages linking to other, smaller web pages,” the researchers explained. “We found several examples where a user would start at an Alexa top 50 site, including some of the biggest news sites on the internet. The user would then click on some sort of sponsored content, either wittingly or unwittingly. The user is then taken to a new site, well outside the Alexa top 50 to something in the Alexa top 10,000 instead. These sites will then have [malicious] ads.”

In a similar vein, an adversary using a compromised website to deliver an exploit kit creates a single point of failure: the compromised site. The same campaign powered by malvertising, on the other hand, has multiple different entry points from a variety of both related and unrelated web pages, making enumeration and mitigation more difficult.

In the second campaign, spotted in June, Talos discovered a website redirecting Safari browsers to a domain delivering a malicious Flash Player installer. The attackers are utilising a common service called “domain parking” to enable their campaign.

“Essentially, parking domainers don’t wait for a user to click on an ad to generate [pay-per-click] revenue, but take benign traffic that would otherwise return an error, and redirect it into their ad network, acting as an ad publisher,” Talos explained.

This so-called “zero-click traffic is sold in traffic marketplaces, where an owner of a domain can purchase traffic and have it directed to their domain.

“Using a parking service, a user can specify the category of the domain to affect bidding, user’s target browser, operating system, geolocation and in some cases the age and demographic of the person viewing the ad,” the researchers explained.

At the time of the investigation, the initial domain was hosted with a parking service at a cloud provider in Lithuania. Cisco Threat Grid has nearly 700 malware samples with a threat score of 95 or above associated with the host, which has hosted hundreds of domains over time. In a one-week span, 87 domains were pointed to the IP, the researchers found.

“During our investigation, more often than not, and while avoiding a server-side request rate limit, a Safari browser will be redirected through a series of sites ultimately landing at the fake Flash Player installer,” they wrote, noting that users would be redirected about seven times in order to get there.

If a user tries to download the fake installer, the system would be infected with a well-known piece of malware called “Shlayer.”

“Digital advertising is one of the biggest battlegrounds on the threat landscape for drive-by attacks delivering malicious content around the globe,” the researchers noted. “Both enterprises and consumers need to be prepared and make a decision on how aggressive they want to be on blocking it. However, it’s a unique challenge since the risk is eliminating large chunks of free content on the internet as it becomes increasingly difficult to generate revenue from that content. These are just a couple of the major issues we will be forced to confront over the next several years.”

Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).


Suggested articles