Posted on August 1, 2019 at 11:48 AM

Two New Malware Campaigns Terrorizing the Internet

According to security researchers, two new malvertising campaigns have emerged recently, and have stolen the spotlight by abusing the convoluted underpinnings of the online economy in order to find victims. The first of the two is an exploit kit campaign of major proportions that can bypass ad-blockers, while the other is known for targeting Mac users via web redirections.

Cisco Talos claims that a RIG exploit kit campaign can spread with an infected toolbar that gets downloaded during software installations. As for the other one, it simply redirects Safari browsers used by Mac users to a domain that delivers malware-infected Flash Player installer.

Researchers say that online advertising, as complex and convoluted as it is, acts as a perfect medium for malicious attacks such as this. In their announcement posted this Wednesday, researchers stress that it is important for the public not to ignore the threat, as anyone can get malicious ads delivered out of nowhere.

Malware campaign #1: RIG EK

The first malware campaign which uses RIG EK (Exploit Kit) has been targeting those looking for security software on the internet. According to the researchers, a simple web search can deliver all kinds of different results. Some are legitimate but expensive. Others are free, but only quasi-legitimate, and often come with more than what the user had wanted.

One such site is USB Guardian, which claims to prevent your device from being infected by a worm and scans USBs. In reality, however, downloading USB Guardian also downloads a toolbar called ‘Best Security Tips,’ which is infected with malware. The toolbar then sends a series of web requests, as soon as it is installed, and the first one is going to the ad network known as Daily Ads.

It does not stop there, however. It changes the browser homepage, as well as the default search engine, which lets the hackers change search results and promote click fraud, excessive advertising, and more. All of this could lead to full malware infection while allowing hackers to efficiently push content onto end systems.

Sooner or later, a request is also sent to ‘ww7.dailyads[.]org’  which then sends X-Adblock-Key. This is an API key that allows ads to bypass most of the popular ad blockers. Most of the time, ad blockers prevent malicious ads from showing, which is why they are especially troublesome to hackers. Now, the presence of the key implies that one or more of the major ad blockers are not protecting their users as well as they used to.

The hackers’ effort has already hit a number of websites in different verticals. This includes everything from news, music, pop-culture, design, racing, and more. According to Talos, malicious ads can be found even among the 5,000 most popular websites on the internet.

Malvertising itself is rather popular among attackers, as it provides them with a massive victim pool. No other avenue offers such a great number of potential victims. For example, if attackers compromised a website, they could only ever infect those who visit the said website. With malvertising, they can infect victims all across the internet with little effort.

Talos even confirmed that some of the top 100 sites on Alexa were indirectly linked to the malvertising campaign, which can lead to millions upon millions of potential victims

Malware campaign #2: Domain-Parking

Then, there is the second campaign, which was spotted earlier this year, in June. Basically, Talos researchers discovered a website that is redirecting Safari browsers to a malicious domain. The domain delivers Flash Player installer, which is, of course, infected with malware. The campaign itself was enabled by a common service known as ‘domain parking.’

Simply put, this means that there is no need for domainers to wait for users to click on ads to generate revenue. Instead, they take benign traffic that would usually return an error, and they redirect it into their ad network. This method is called zero-click traffic, and it is sold in traffic marketplaces.

Now, this parking service allows users to choose a specific domain category to affect bidding, the browser, geolocation, OS, and more. Even age and demographics could be used to specify who can see the ad.

During the investigation, researchers uncovered that the original domain was hosted with a parking service in Lithuania. The initial domain was found to be associated with numerous malware threats. In fact, almost 700 of the malware associated with the host can be found within the Cisco Threat Grid — all of which have a threat score of 95 or more.

In other words, it is more than likely that the Safari browser will be redirected to the domain with malicious Flash Player installer, and if the user tries downloading it, their system would be infected by a malware known as Shlayer.