An attack group behind a long-running malvertising campaign made effective use of a previously unreported low-level vulnerability in Microsoft’s Internet Explorer and Edge browsers to rake in money via banking Trojans and ad fraud.
Microsoft patched the zero-day this week among dozens of other vulnerabilities addressed in its monthly Patch Tuesday release of security bulletins.
The fix was included in cumulative updates for IE and Edge, though Microsoft rated it a low-criticality vulnerability on Windows servers, and important on clients.
“It’s not really severe in itself. It just gives non-critical information about the inspected computer. But this is enough to filter many automated/emulated browsing systems,” said Proofpoint researcher Kafeine who published a report on the vulnerability Tuesday. “It allowed them to stay below the radar. Combining this with other tricks/filtering methods makes replaying the infection and getting strong evidence of some a malvertising chain difficult.”
Two cybercrime operations made use of the vulnerability, Kafeine told Threatpost. One is known as AdGholas, and the other GooNky.
The AdGholas malvertising campaign at its peak was infecting thousands of clients a day, after recording millions of ad impressions. The campaign was suspended in late July Proofpoint said after a nearly three-year run.
AdGholas stood out also for its use of steganography to conceal its attacks, likely the first time this tactic was used in malvertising campaigns. Researchers said that hidden in JavaScript filtering code used by the campaign was more code that used an API to read a PNG and extract even more JavaScript. A user’s browser would be infected by browsing a site, after which they were redirected to a cloned version of a legitimate site, tricking victims into thinking everything was normal.
The campaigns were dependent on the Angler Exploit Kit—some samples show it being used by Angler to move Reveton ransomware in 2014, for example—but since Angler has been offline since early this summer, AdGholas too went quiet before it was spotted being distributed in Neutrino Exploit Kit traffic.
Microsoft patched the flaw, CVE-2016-3351, in MS16-104 (IE) and MS16-105 (Edge). Since the attacks now included Microsoft’s latest browser, Edge, the vulnerability reached a threshold where it merited a security bulletin.
The attackers, meanwhile, went to great lengths beyond the steganography to hide their activities.
“It would not execute if some tools used by researchers were present,” Kafeine said, listing off Fiddler, Wireshark among others. He also said that some samples would not execute if certain common applications were missing such as Skype, iTunes or Torrent applications, indicating the sample was likely executing inside a virtual machine or sandbox.
“This vulnerability is a MIME type check used to filter out systems that have certain shell extension associations, including .py, .pcap, and .saz,” Kafeine wrote in his report. “In some cases, certain extensions association including .doc, .mkv., .torrent, and .skype are required to trigger the next exploitation step.”
In the meantime, Kafeine said the effectiveness and stealth of this campaign demonstrates the importance for vigilance in keeping browsers and third-party applications up to date.
“Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time. In this case, the AdGholas group used such a bug specifically to avoid detection by researcher- and vendor-automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation,” Kafeine wrote. “The bottom line? As much as possible, software vendors need to maintain comprehensive patching regimens, organizations and users must rethink patching prioritizations, and researchers need to look for new avenues to detect malicious activity.”