Researchers found an older exploit kit being delivered in a new way -- using weaponized graphical images -- that...
could leave millions of users at risk of attack.
ESET researchers said the Stegano exploit kit was found being delivered in a malvertising campaign that has shifted targets to different regions of the world, first seen in the Netherlands, then the Czech Republic and now Canada, Britain, Australia, Spain and Italy. ESET said it has "observed major domains, including news websites visited by millions of people every day, acting as 'referrers' hosting these advertisements." The malvertising is also reportedly very difficult to spot with the naked eye, according to ESET.
"Without requiring any user interaction, the initial script reports information about the victim's machine to the attacker's remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin," ESET researchers wrote in a blog post. "The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel. Since the modification is minor, the final picture's color tone is only slightly different to that of the clean version."
The exploit kit delivered by the malicious ad has been found in the wild since 2014 and under the name Astrum, though ESET calls it Stegano in reference to steganography -- the practice of concealing an image or file within an image.
While the Stegano exploit kit targets the usual suspects of Internet Explorer and the Adobe Flash Player, experts said there were unusual characteristics of the kit.
Allan Liska, senior solutions architect at Recorded Future, the Somerville, Mass. threat intelligence company, said the traffic patterns of the malvertising campaign are as strange as the exploits used.
"It doesn't look like they are targeting specific users. Instead, they have been running campaigns against different countries. So, these are not targeted or watering hole attacks, nor are they mass attacks. The attackers are judicious in picking their victims," Liska told SearchSecurity. "While their infrastructure and delivery systems are sophisticated, it does not appear, based on public reporting, that they are using any zero-day exploits. Instead, they are relying on users having unpatched systems."
Tim Erlin, senior director of IT security and risk strategy at Tripwire, said malvertising ideally should be detected by the ad network, rather than the end user, but end users can protect themselves by keeping software updated.
"As an end user, your best protection is to keep your system and applications up to date and patched. The malicious ads use known vulnerabilities to infect your system, so patching and updates help keep you safe, even if you come across a malicious ad online," Erlin told SearchSecurity. "All malware requires a way to get onto your system, and the most common methods are through known vulnerabilities and phishing."
Darren Spruell, threat researcher at RiskIQ, the San Francisco-based cybersecurity company, said any control that can block script execution from untrusted sites would be effective.
Learn how enterprises can defend against malvertising.
Find out what software is targeted by the most popular exploit kits.
Get info on what enterprises need to consider with automated patching systems.