Hanjuan Exploit Kit leveraged in malvertising campaign

Malvertisements redirected users to the Hanjuan Exploit Kit and possibly served them malware.
Malvertisements redirected users to the Hanjuan Exploit Kit and possibly served them malware.

Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.

Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com that the issue has been resolved.

The malware was being delivered via malvertisements that redirected users to the Hanjuan Exploit Kit, according to the post. Researchers only observed the Hanjuan Exploit Kit taking advantage of a recently patched Adobe Flash Player zero-day vulnerability – CVE-2015-0313.

The threat is a drive-by download attack that happens within seconds and requires no user interaction, meaning no clicking is required to become infected, the post indicates.

“Typically a drive-by download is very quiet, unless it involves Java (you will see the Java icon in the tray) or perhaps crashes the browser,” Segura said. “In the case of Flash, it is completely transparent and unless the malware is obvious (changes the desktop or loads a fake app) the user would be completely unaware of it.”

Segura said that Hanjuan Exploit Kit only targets U.S. residential IP addresses, which means that only legitimate home users residing in America were targeted in the campaign. Given the vulnerability being exploited and the high profile of certain affected websites, he speculated that tens of thousands of victims may have been infected.

Hanjuan Exploit Kit uses numerous techniques to deliver malware to specific victims and go by mostly unnoticed, Segura said.

“First of all, it leverages an ad network to filter out non desirable users and really tailor the malicious [ads] for the target population,” Segura said. “Secondly, it performs very strict checks on the user's IP address to ensure that it has never seen it before, but also that it belongs to a genuine residential ISP.”

Segura added, “The problem for security companies is that very often our IP ranges are already blacklisted by the bad guys and VPNs are not an option either since they are not the target population.”

Because Hanjuan Exploit Kit is stealthy, Malwarebytes has been unable to identify the malware being delivered, the post notes.

Users should be using anti-exploit protection to defend against these types of threats, and should also always be surfing the web using the latest security updates applied to their computers, Segura said. He added that advertising networks need to be thoroughly checking their customers to ensure they are legitimate.

“They also have to spot patterns of malicious activity in close to real-time and block attacks, something that is easier said than done, when the number of impressions for an ad network can be in the millions or even billions per day,” Segura said.

Malwarebytes identified a very similar campaign in February.

UPDATE: Malwarebytes confirmed that the campaign is no longer active – the post has been updated to indicate that engage:BDR terminated the malvertising account on Monday, shortly after being notified.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS