The Hacker News Logo
Subscribe to Newsletter

Hacking Millions with Just an Image — Recipe: Pixels, Ads & Exploit Kit

stegano-exploit-kit-malware-hacking
If you have visited any popular mainstream website over the past two months, your computer may have been infected — Thanks to a new exploit kit discovered by security researchers.

Researchers from antivirus provider ESET released a report on Tuesday stating that they have discovered an exploit kit, dubbed Stegano, hiding malicious code in the pixels of banner advertisements that are currently in rotation on several high profile news websites.

Stegano originally dates back to 2014, but since early October this year, cyber crooks had managed to get the malicious ads displayed on a variety of unnamed reputable news websites, each with Millions of daily visitors.

Stegano derived from the word Steganography, which is a technique of hiding messages and content inside a digital graphic image, making the content impossible to spot with the naked eye.

In this particular malvertising campaign, operators hide malicious code inside transparent PNG image's Alpha Channel, which defines the transparency of each pixel, by altering the transparency value of several pixels.

The malvertising campaign operators then packed the altered image as an advertisement and managed to display those malicious ads on several high-profile websites.

According to the researchers, the malicious ads promote applications called "Browser Defense" and "Broxu," and the methodology makes it tough for ad networks to detect.

Here's How the Stegano Attack Works:


Once a user visits a site hosting malicious advertisement, the malicious script embedded in the ad reports information about the victim's computer to the attacker's remote server without any user interaction.

The malicious code then uses the CVE-2016-0162 vulnerability in Microsoft's Internet Explorer (IE) browser in order to scan the target computer to see if it is running on a malware analyst's machine.

After verifying the targeted browser, the malicious script redirects the browser to a website that hosts Flash Player exploits for three now-patched Adobe Flash vulnerabilities: CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117.
"Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cybercriminals behind this attack – yet another check to verify that it is not being monitored," ESET researchers wrote in a blog post. "If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image."
When downloaded to the victim's computer, the encrypted payload is then decrypted and launched via regsvr32.exe or rundll32.exe in Microsoft Windows.

Just Visit a Site, and You'll be Hacked in Just 2-3 Sec


Below is an ESET infographic that explains the working of Stegano's exploit attack:
Hacking Millions with Just an Image

All the above operations execute automatically without any user interactions and takes place in the span of just 2-3 seconds.

So far, the Stegano exploit kit has pushed various trojan downloaders, the Ursnif and Ramnit banking trojans, backdoors, spyware, and file stealers.

The Stegano exploit kit was initially used in 2014 to target people in the Netherlands, and then in 2015, moved on to residents in the Czech Republic. The latest attack campaign is targeting people in Canada, the UK, Australia, Spain, and Italy.

The best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.