Researchers from antivirus provider ESET released a report on Tuesday stating that they have discovered an exploit kit, dubbed Stegano, hiding malicious code in the pixels of banner advertisements that are currently in rotation on several high profile news websites.
Stegano originally dates back to 2014, but since early October this year, cyber crooks had managed to get the malicious ads displayed on a variety of unnamed reputable news websites, each with Millions of daily visitors.
Stegano derived from the word Steganography, which is a technique of hiding messages and content inside a digital graphic image, making the content impossible to spot with the naked eye.
In this particular malvertising campaign, operators hide malicious code inside transparent PNG image's Alpha Channel, which defines the transparency of each pixel, by altering the transparency value of several pixels.
The malvertising campaign operators then packed the altered image as an advertisement and managed to display those malicious ads on several high-profile websites.
According to the researchers, the malicious ads promote applications called "Browser Defense" and "Broxu," and the methodology makes it tough for ad networks to detect.
Here's How the Stegano Attack Works:
Once a user visits a site hosting malicious advertisement, the malicious script embedded in the ad reports information about the victim's computer to the attacker's remote server without any user interaction.
The malicious code then uses the CVE-2016-0162 vulnerability in Microsoft's Internet Explorer (IE) browser in order to scan the target computer to see if it is running on a malware analyst's machine.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
After verifying the targeted browser, the malicious script redirects the browser to a website that hosts Flash Player exploits for three now-patched Adobe Flash vulnerabilities: CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117.
"Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cybercriminals behind this attack – yet another check to verify that it is not being monitored," ESET researchers wrote in a blog post. "If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image."When downloaded to the victim's computer, the encrypted payload is then decrypted and launched via regsvr32.exe or rundll32.exe in Microsoft Windows.
Just Visit a Site, and You'll be Hacked in Just 2-3 Sec
Below is an ESET infographic that explains the working of Stegano's exploit attack:
All the above operations execute automatically without any user interactions and takes place in the span of just 2-3 seconds.
So far, the Stegano exploit kit has pushed various trojan downloaders, the Ursnif and Ramnit banking trojans, backdoors, spyware, and file stealers.
The Stegano exploit kit was initially used in 2014 to target people in the Netherlands, and then in 2015, moved on to residents in the Czech Republic. The latest attack campaign is targeting people in Canada, the UK, Australia, Spain, and Italy.
The best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.