An advertising banner on a number of widely used Russian-content sites has been serving a rare, RAM-based form of malware, according to a Securelist report.
Researchers at Kaspersky Lab recently received information from an independent researcher detailing mass infections that appeared to be originating from a number of popular Russian news sites. The symptoms of infection were the same: computers on the network were sending requests to third-party resources and, in turn, encrypted files began showing up on their hard-drives. However, commonalities among the infections were elusive. Websites spreading the infection were hosted on different platforms with different architectures, and attempts to cross-reference this malicious code with others in the Kaspersky Security Network were unsuccessful.
The shared characteristic between the sites ended up being a third-party advertiser, AdFox. So, when users visited sites running the infected AdFox banner, they encountered a teaser advertisement. Inside that advertisement was a string of Javascript with an iframe hidden in it. The iframe points to an EU domain hosting a java exploit used frequently in exploit packs. However, these attackers were using their own portable executable file.
Like a normal infection, the program seizes all the necessary privileges on the infected machine. However, in this case it does not install malware on the hard-drive. Instead, it injects an encrypted dll directly into the javaw.exe process, and then Java begins sending requests to a third-party.
This sort of RAM-based malware is extremely difficult to detect.
Securelist reports that cybercriminals compromised the account of an AdFox customer to and added the iframe to the banners in order to redirect users to the malicious site.
You can read more details about this infection at Securelist.
AdFox has since removed the malware in question from the infected banner.