Carbon Black researchers spotted a second Ask Partner Network (APN) compromise twice in two months using malware signed with the certificate issued after the previous incident last year.
The first compromise occurred in November 2016 and allowed malicious software to be signed and distributed as though it were a legitimate Ask software update, according to a March 16 blog post.
In both incidents, attackers found a similar way to breach the APN network and hijack the Ask.com Toolbar update process in order to redirect unsuspecting users to a malicious file resulting in the installation of the malware.
Researchers said the attacks highlight how threat actors are leveraging widely used general tools, such as toolbars and browser extensions, to conduct sophisticated targeted attacks, distribute malicious code, and maintain persistence in enterprises.
The attacks also demonstrate a common risk with PUPs like toolbars and browser extensions because while PUPS may not be malicious they do increases an organization’s attack surface and expose systems to additional threats.
Researchers confirmed the latest attack is the continuation of recent activity from the previous attack and said its indicative of a sophisticated adversary based on the control of a widely-used update mechanism to deliver targeted attacks using signed updates containing malicious content.
The goal of the compromise is to offload trojans and other malware onto a victim’s device.
In order to combat these threats, users are recommended to check their environment for API binaries with the filename apnmcp.exe, and examine any files that apnmcp.exe might have written to disk. Users are also advise to examine apnmcp.exe and its child process network activity if they have tools with the ability to connect network activity to specific processes.
SC Media attempted to reach out to APN yet they have yet to respond for comment.