Network Security, Patch/Configuration Management, Vulnerability Management

Latest Flash Exploit being used to create drive-by ransomware attack

A criminal enterprise well known for using malware-laced fake display ads is ramping up its efforts by infecting dozens of popular websites using a recently patched Flash Player exploit to deliver the Angler Exploit Kit in a drive-by style attack.

Malwarebytes Senior Security Researcher Jerome Segura did not name the group involved, but told SCMagazine.com that the increase is worrisome because the combination of the fake display ads and obfuscation techniques are hard to combat. Some of the sites now being used include CBS.com, M.MLB.com and Answers.com. The group is using a recently patched Flash Player exploit (CVE-2016-4117) to deliver CryptXXX ransomware and what is known as the “fingerprinting” technique to sidestep security.

“The ads are typically clean of any malware for anyone trying to manually verify them. The JavaScript code looks benign no matter how many times you refresh the page or rotate IP address. This is because the rogue version of the JavaScript is served conditionally, with the proper referrer, user-agent, sometimes even your screen resolution, and several other parameters,” he said.

The interesting aspect of this particular attack, Segura said, is how the attacker goes about placing the malicious banner ads. The bad guys create a fake ad based on one from a real company; add the malware and then they buy ad space on an unsuspecting site. The malware itself sits between the legitimate website and the exploit kit and is only triggered when a suitable victim comes by.

From a cost/benefits standpoint this makes great financial sense, Segura said, because the ad only costs a few dollars per thousand views and one ransomware attack can net the gang $500.

The “fingerprinting” code checks if a visitor is a real person, a bot or if the individual's computer has software capable of blocking or detecting the attack. The latter visitors are ignored and only the real person is hit, Segura said, this helps limit the malware's exposure and it increases the infection rate.

Segura said it is very difficult for the company buying the ad to spot the malware because it is able to hide in plain sight, but there are a few clues. The fake ad points to a sub-domain that has been created on its site and the SSL is incorrect, however most sites that accept ads do not look at the code and in many cases ad purchasing is done automatically. This could result in an ad being purchased from an unscrupulous agency, one that might have been noticed if a human had been in the loop.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.