Published on August 1st, 2019 📆 | 7512 Views ⚑0
Two New Malware Campaigns Terrorizing the Internet
August 1, 2019 at
According to security researchers, two new malvertising campaigns have emerged recently, and have stolen the spotlight by abusing the convoluted underpinnings of the online economy in order to find victims. The first of the two is an exploit kit campaign of major proportions that can bypass ad-blockers, while the other is known for targeting Mac users via web redirections.
Cisco Talos claims that a RIG exploit kit
campaign can spread with an infected toolbar that gets downloaded during
software installations. As for the other one, it simply redirects Safari
browsers used by Mac users to a domain that delivers malware-infected Flash
Researchers say that online advertising, as
complex and convoluted as it is, acts as a perfect medium for malicious attacks
such as this. In their announcement posted this Wednesday, researchers stress
that it is important for the public not to ignore the threat, as anyone can get
malicious ads delivered out of nowhere.
Malware campaign #1: RIG EK
The first malware campaign which uses RIG EK (Exploit Kit) has been targeting those looking for security software on the internet. According to the researchers, a simple web search can deliver all kinds of different results. Some are legitimate but expensive. Others are free, but only quasi-legitimate, and often come with more than what the user had wanted.
One such site is USB Guardian, which claims to
prevent your device from being infected by a worm and scans USBs. In reality,
however, downloading USB Guardian also downloads a toolbar called ‘Best
Security Tips,’ which is infected with malware. The toolbar then sends a series
of web requests, as soon as it is installed, and the first one is going to the
ad network known as Daily Ads.
It does not stop there, however. It changes the browser homepage, as well as the default search engine, which lets the hackers change search results and promote click fraud, excessive advertising, and more. All of this could lead to full malware infection while allowing hackers to efficiently push content onto end systems.
Sooner or later, a request is also sent to
‘ww7.dailyads[.]org’ which then sends
X-Adblock-Key. This is an API key that allows ads to bypass most of the popular
ad blockers. Most of the time, ad blockers prevent malicious ads from showing,
which is why they are especially troublesome to hackers. Now, the presence of
the key implies that one or more of the major ad blockers are not protecting
their users as well as they used to.
The hackers’ effort has already hit a number of websites in different verticals. This includes everything from news, music, pop-culture, design, racing, and more. According to Talos, malicious ads can be found even among the 5,000 most popular websites on the internet.
Malvertising itself is rather popular among
attackers, as it provides them with a massive victim pool. No other avenue
offers such a great number of potential victims. For example, if attackers
compromised a website, they could only ever infect those who visit the said website.
With malvertising, they can infect victims all across the internet with little
Talos even confirmed that some of the top 100 sites on Alexa were indirectly linked to the malvertising campaign, which can lead to millions upon millions of potential victims
Malware campaign #2:
Then, there is the second campaign, which was
spotted earlier this year, in June. Basically, Talos researchers discovered a
website that is redirecting Safari browsers to a malicious domain. The domain
delivers Flash Player installer, which is, of course, infected with malware.
The campaign itself was enabled by a common service known as ‘domain parking.’
Simply put, this means that there is no need
for domainers to wait for users to click on ads to generate revenue. Instead,
they take benign traffic that would usually return an error, and they redirect
it into their ad network. This method is called zero-click traffic, and it is
sold in traffic marketplaces.
Now, this parking service allows users to
choose a specific domain category to affect bidding, the browser, geolocation,
OS, and more. Even age and demographics could be used to specify who can see
During the investigation, researchers
uncovered that the original domain was hosted with a parking service in
Lithuania. The host was associated with around 95% of the Cisco Threat Grid’s
700 malware samples. It also hosted hundreds of domains,
In other words, it is more than likely that
the Safari browser will be redirected to the domain with malicious Flash Player
installer, and if the user tries downloading it, their system would be infected
by a malware known as Shlayer.