Stegano's banner ads, like this one, contain a malicious script that is secretly embedded within coding parameters that define the transparency of the ad's pixels. Image courtesy of ESET.
Stegano's banner ads, like this one, contain a malicious script that is secretly embedded within coding parameters that define the transparency of the ad's pixels. Image courtesy of ESET.

An exploit kit called Stegano was found infecting select machines via malicious banner ads that, by conservative estimates, were viewed by over a million users in just the last two months.

According to researchers at ESET, who disclosed the campaign on Tuesday in a blog post and Q&A article, the malicious ads were difficult for security researchers to detect in part because the Stegano script was craftily hidden amongst coded parameters that govern the transparency of pixels in the ads. In other words, there were "advertising banners with ‘poisoned pixels' leading to a new exploit kit, intended to enable the bad guys to remotely install malware onto victims' computers,” said Robert Lipovsky, a senior malware researcher at ESET and the subject of the online Q&A. Such malware typically included Gozi (aka Ursnif), a data-stealing spyware program, and Ramnit, a banking trojan.

This particular form of steganography – the practice of hiding code inside images – slightly altered the original ad's appearance, changing its color tone and making it appear more pixilated than a clean version. But the difference was very subtle and not easily noticeable to ordinary users, who did not even have to click on the malicious ads to be victimized.

This not the first time an exploit kit has relied on steganography for reasons of stealth. In July, researchers at Proofpoint reported a malvertising campaign dubbed AdGholas that also used this technique, recruiting as many as one million client machines on a daily basis to infect victims with malware via the Angler and Neutrino exploit kits.

Sherrod DeGrippo, director of emerging threats for Proofpoint, told SC Media via email today that “the campaign described in ESET's post is the work of the same actor group we named AdGholas,” and that the Stegano exploit kit is a newly enhanced form of the Astrum exploit kit, which was discovered in 2014. According to Proofpoint, the new campaign began on Sept. 22 and stopped on Dec. 6 after it was publicly exposed. The previous AdGholas campaign was halted on July 20 after the Proofpoint researchers brought the scheme to light.

Compared to past efforts involving Angler and Neutrino, Stegano was even more successful in sneaking its malicious banners onto credible websites, according to ESET, which reported finding major domains – including popular news websites visited by millions of people on a daily basis – hosting these booby-trapped advertisements. A separate report issued on Tuesday by Malwarebytes revealed that Yahoo and MSN were among the sites impacted, although the attackers were careful to avoid infecting users located in the U.S.

During the campaign, the advertisements were either promoting a privacy software product called “Browser Defence” or an image-capturing software named “Broxu.” Not everyone who saw these ads were infected, however. Similar to the AdGholas campaign, the Stegano exploit kit would pick and choose its victims carefully. In this case, those who didn't fit the ideal profile for infection were simply served a clean ad.

“…The malicious version of the ad is served only to a specific target group, selected by the attackers' server. The decision-making logic behind the choice of target is unknown and this helps the bad guys to go further in dodging suspicion on the advertising platforms' side,” said Lipovsky. 

Stegano is designed to further refine its list of victims by using an Internet Explorer vulnerability (CVE-2016-0162) to verify that it is not running in a sandbox or virtualized environment – the kind a security researcher might set up in order to monitor and analyze a malware infection.

If Stegano determines it is not under surveillance, it then creates a tiny, one-pixel iframe – off-screen so that it's not visible – and redirects the user to its landing page via said iframe. Next, the landing page loads a file capable of exploiting three different Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), choosing the one that corresponds to the version of Flash found on the victim's system.

An infected machine is exposed to one additional security check – this time looking for security products that could expose the attack – before the final payload is downloaded from the attacker's server in the guise of a GIF image.

UPDATE 12/8: The story was updated to include information conveyed by a Malwarebytes report, include names of two of the news sites affected by the Stegano campaign. The story also was updated to reflect Proofpoint's assertion that the campaign began on Sept. 22 and ended on Dec. 6.