Malvertising Redirecting to Microsoft Silverlight Exploits

Researchers at Cisco spotted a recent malvertising campaign where victims were redirected by ads on the AppNexus network to sites hosting the Angler Exploit Kit and exploits against Silverlight vulnerabilities.

The fact that Netflix accounts for one-third of Internet traffic during peak evening hours, and that it runs on the Microsoft Silverlight platform, is just too tempting a combination for hackers to pass up.

For the second time in six months, criminal hacker groups are zeroing in on Silverlight vulnerabilities in order to spread malware that leads to system compromise and data loss for victims.

This time, criminals have infiltrated the second most popular online ad network, AppNexus, with malvertising that redirects victims, sometimes over several hops, to malicious sites hosting the Angler Exploit Kit, which has been loaded with a variety of exploits for Silverlight vulnerabilities.

Silverlight, similar to Adobe Flash, is Microsoft’s plug-in for streaming media on browsers and is perhaps most known for being used in Netflix’s streaming video service.

A recent campaign spotted by researchers at Cisco spiked between May 7 and May 13, accounting for as high as 18 percent of the total HTTP requests for sites hosting the kit. The kit in this campaign also hosts exploits for Flash and Java, though none of the Java exploits have been triggered. Victims are being compromised via drive-by downloads where a malicious ads redirects browsers to another malicious banner that redirects it again to the Angler Exploit Kit landing page. Once there, the exploit is delivered and a Trojan is delivered to the compromised machine that opens two listener ports and opens a TCP connection to a remote server hosted in Brazil, Cisco said.

Criminals behind this campaign are likely banking on the fact that the industry has been consumed with Flash and Java exploits

Criminals behind this campaign are likely banking on the fact that the industry has been consumed with Flash and Java exploits, both of which have been patched many times in the past two years, and have begun to target Silverlight.

“Java and Flash have been heavily exploited over the years, and vendors are getting good at writing engines that detect vulnerabilities in those libraries,” said Craig Williams, Technical Leader, Threat Research Analysis and Communications at Cisco. “Silverlight has not been exploited much. There are some limited CVEs, but few are widespread. What we may be seeing here is a tipping point where Java exploits are being detected and what other formats can hackers take advantage of.”

Though this particular Silverlight campaign has quieted down since vendors such as Cisco have added detection signatures and capabilities for it, this was a serious dip in the waters for the attackers. DNS requests for these particular Angler domains are spread out in most of the world, concentrated heavily in Europe and North America.

“This delivery uses rolling XOR encryption to obfuscate what was happening. This is an important update in this campaign,” said Levi Gundert, another Technical Leader, Threat Research Analysis and Communications at Cisco. This indicates they are fairly serious about what they’re doing. Obfuscation makes it a challenge to detect and it’s clear they want to evade researchers.”

In November, exploit code targeting two memory vulnerabilities in Silverlight surfaced, though the bugs were patched in March by Microsoft. Cisco expects more Silverlight exploits to surface with close to 60 percent of rich Internet applications supporting it.

Cisco has posted lists of indicators of compromise, including lists of referrers, Angler domains, landing page full URIs and associated Angler domains.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.