Caphaw Banking Malware Distributed via YouTube Ads

More than one billion of unique visitor spend about 6 billion hours on YouTube to watch videos, according to monthly YouTube Stats. Security researchers from Bromium Labs recently found that YouTube advertising network has been abused by rogue advertisers to distribute malware.

YouTube In-Stream Ads were redirecting users to malicious websites, hosting the 'Styx Exploit Kit' and was exploiting client side vulnerabilities by drive-by-download attack to infect users' computer with Caphaw Banking Trojan.

The Exploitation process relied upon a Java vulnerability (CVE-2013-2460) and after getting dropped into the target computer system, the malware detects the Java version installed on the operating system and based upon it requests the suitable exploit.

"We don't yet know the exact bypass which the attackers used to evade Google's internal advertisement security checks. Google has informed us that they're conducting a full investigation of this abuse and will take appropriate measures." researchers said.

Further investigation has revealed that the banking malware uses Domain Generation Algorithm (DGA) for communicating with Command and Control server (C&C). The C&C panel of this Trojan seems to be hosted somewhere in Europe and the case is still under investigation. Caphaw Banking Malware has been marked as malicious by a number of anti-virus companies.

How many users had become victim of this attack is yet a question. Google has taken down the malvertisment campaign and is beefing up internal procedures to prevent such events from occurring again.

Oracle has already patched the respective Java vulnerability last year, So users are advised to keep their Java software up-to-date and install latest Security updates of the softwares and operating system.