Researchers Uncover Massive Malvertising Operation

While analyzing recent drive-by download attacks, security researchers have uncovered a large malvertising operation that infiltrated the legitimate online ad ecosystem and abuses more than 10,000 compromised websites.

Malicious advertising, or malvertising, is the practice of displaying rogue ads on legitimate websites without their owners’ consent or knowledge. This has been a very popular attack vector for many years and even led to an investigation by the U.S. Senate in 2014.

In response, ad networks, which are responsible for delivering ads to content publishers, have strengthened their defenses against fraud and abuse, but as researchers from Check Point recently found, cybercriminals still find ways to bypass those checks on a large scale.

In addition to scam and scareware, malicious ads are frequently used to direct unsuspecting users to exploit kits, web-based attack tools that attempt to exploit vulnerabilities in browsers or their plug-ins. Flash Player, Java and Silverlight have been common targets over the years.

Exploit kits are not as popular with cybercriminals as they used to be, because the targeted applications have incorporated sandboxing and other mechanisms that make exploitation more difficult. However, they’re still around and new ones are being created.

“Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple Exploit Kits,” researchers from the security company said in a new report.

The researchers uncovered that a single threat actor, whom they dubbed Master134, is in control of more than 10,000 compromised websites. The sites all run an older version of WordPress that is vulnerable to remote code execution.

The threat actor appears to be posing as a publisher and sells ad space on these compromised websites through a large advertising network called AdsTerra. In turn, that ad space is bid on and bought through AdsTerra by several other reseller companies, which then sell it to advertisers who turn out to be almost exclusively cybercriminal groups that operate exploit kits.

This seems to be a full abuse of the advertising supply chain and it’s not clear if the advertising companies involved are having their security checks bypassed or are intentionally turning a blind eye to the malicious activity.

“Indeed, threat actors never cease to look for new techniques to spread their attack campaigns, and do not hesitate to utilize legitimate means to do so,” the researchers said. “However, when legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”

Unfortunately, malvertising is likely to remain a common attack vector for years to come, if not to direct users to exploit kits, then to trick them into downloading potentially unwanted applications. Malicious and annoying advertisements are frequently cited as the primary reasons for users installing ad blockers in their browsers, which hurts the entire online ecosystem and content creators in particular.

Editors Note: This article was amended Aug. 1 to remove the names of companies that may or may not have been misidentified by Check Point.

PowerGhost Fileless Cryptominer Has Worming Capabilities

A new PowerShell-based cryptomining threat called PowerGhost uses fileless execution techniques to evade antivirus detection and spreads over local networks using the EternalBlue SMB exploit.

According to an analysis by researchers from Kaspersky Lab, systems are infected with PowerGhost through exploits or via the Windows Management Instrumentation (WMI), an API used by system administrators for remote management.

The payload is a one-line PowerShell script that downloads the miner’s body and launches it without writing it to the hard drive. The script also downloads additional components: the credentials dumping tool mimikatz; the libraries msvcp120.dll and msvcr120.dll that are required for the miner’s operation; a module for reflective PE injection and shellcode for the EternalBlue exploit.

The malware has two network propagation methods. One is by exploiting the EternalBlue vulnerability (CVE-2017-0144) and the other is by using credentials extracted through mimikatz to copy itself to other computers through WMI. Before execution the malware will also attempt to gain higher privileges by exploiting other known Windows vulnerabilities.

PowerGhost has a global victim distribution, but the countries with the largest number of infected systems are India, Brazil, Columbia and Turkey. In one version the researchers even found a tool for launching distributed denial-of-service (DDoS) attacks.

Featured eBook
The Main Pillars of The DevOps Toolchain

The Main Pillars of The DevOps Toolchain

Software companies often have a problem closing the gap between what the customer orders and what the engineers deliver. Usually, the main cause of this difficulty is the separation of the development environment and the production environment. After all, when an engineer only has access to the development environment, they will focus on delivering results there ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 199 posts and counting.See all posts by lucian-constantin