February 13, 2017 by

Yahoo, MSN Struck by Advanced Malvertising Campaign

 A treacherous malicious advertising campaign is making a comeback on major publishing websites including the likes of MSN and Yahoo, merely months after researchers discovered and were thought to have ended the campaign.

Malvertising, or malicious software delivered through advertisements, is an extremely effective way to target and infect a large number of computers. They are typically embedded into ad networks and trigger a cyberattack when the ads are viewed, often unbeknownst to the victim.

A malicious group dubbed AdGholas, has been known to deliver malware payloads through advertisements in the past. The group’s last-known campaign was shut down in July 2016, after infecting at least a million computers a day with malware.

However, a new ad campaign is turning heads again and the advertising agency is not having an easy time diffusing these malicious payloads, even after realizing that the threat is real. According to Jerome Segura, lead malware intelligence analyst at Malwarebytes, the attack campaigns triggered by AdGholas can be blocked in the short-term. However, significant security weaknesses in the online advertising industry means that malicious groups will target websites with new and modified attack patterns, the researcher says.

A Technically Sound Attack Campaign

AdGholas’ latest campaign sees it distribute malvertising through ‘Browser Defense’ a malicious piece of software purporting to be a privacy tool and Broxu, a screen-capture application. The ad looks for a known information leakage vulnerability on Internet Explorer, even if the user avoids clicking on the advertisement, according to Eset.

 Here, the vulnerability allows the attacker to obtain key facts and information about the computer. Before proceeding with an attack, the cybercriminal is able to ascertain if the computer is running an anti-virus program or other security software. The information even reveals if the computer is actually a virtual machine.

Picking out the malvertising campaign by AdGholas specifically, Segura stated:

It is one of the most advanced malvertising attacks that I’ve ever witnessed.

Typically, cybercriminals avoid running malware on computers if they suspect that their campaign is being studied, in order to further the longevity of the campaign by avoiding discovery from researchers. However, in the case of AdGholas’ malvertising campaign, the information gathered includes the computer’s performance stats, the locations of its installed video drivers and even the computer’s time zone. These checks are pored over multiple times before the victim is chosen.

“These kind of things are absolutely insane from our point of view,” Segura added. “That level of detail is just very, very advanced. The group is very paranoid.”

When a victim is chosen, the browser redirects the victim to a landing page hosting Astrum, an exploit kit that then attempts to exploit vulnerabilities in the notoriously exploitable Flash Player.

Segura was able to observe a full attack after many attempts of trying to trigger an attack by AdGholas’ campaign. Yahoo was notified of the attack around November 27 according to Data Breach Today. However, merely two days later, the malicious advertisements were back. AdGholas has simply changed the domain used for the domain used for the attacks.

A lack of quality control in ad networks has seen the latest round of attacks by AdGholas targeting computers in the U.K., Australia, Spain, Italy, Canada and Switzerland while avoiding computers in the U.S.

The failure of quality control also means that the malvertising campaign can target and figure on major websites which sees millions of visitors.

Segura added:

If they’re not seeing it, we’re in serious trouble here. These attacks are happening and nobody is really aware of them.

Image credit: Flickr.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Russian Spies Hired Cybercriminals to Hack 500 Million Yahoo Accounts: Justice Dept

The United States government has directly implicated Russian agents of instigating and directing the...

Read more arrow_forward

US Justice Department to Announce Charges against Russians & Canadian in Yahoo Breach

The U.S. Department of Justice is reportedly set to announce indictments against suspected hackers...

Read more arrow_forward

Massive Data Breaches Cost Yahoo $350 Million in Sale to Verizon

Yahoo’s sale of its core business to Verizon for what was originally a $4.85 billion deal now sees...

Read more arrow_forward

If you have any further questions, please don't hesitate to contact us.