14 DAY TRIAL // A new malvertising campaign deployed at the end of 2014 relies on the advertising network of AOL to deliver malware to visitors of various websites, two of them owned by Huffington Post.
The malicious activity was first noticed on the Canadian version of Huffington Post on December 31, 2014, but on January 3, 2015, the same type of activity was observed on huffingtonpost.com.
Security researchers from Cyphort traced the cause to a malicious ad available on the websites from AOL ad network.
Multiple websites affected
After redirecting to multiple locations, the trail ended at a landing page that served a web-based attack tool which included a Flash exploit and a VB script. The attack would end with downloading a variant of the Kovter Trojan.
The two Huffington Post websites were not the only ones affected by the malvertising campaign; LA Weekly, Houston Press, Soap Central and Weather Bug were also among those serving the rogue advertisement.
It appears that the operators of the campaign rely on both HTTP and HTTPS redirects to hide the servers that are part of the attack, making the analysis more difficult.
Nick Bilogorskiy of Cyphort says that the group of cybercriminals has access to multiple Polish domains, either by registering them themselves or by compromising legitimate online locations.
The investigation of the campaign revealed that advertising.com and adtech.de advertising networks, both owned by AOL, have been used by the perpetrators to distribute the malicious ad.
Vulnerability affecting IE 6 through 10 leveraged
AOL has been informed of the situation and the security team started to look into the matter. At the moment, the attack has been stopped.
Cyphort researchers believe that the exploit kit used by the cybercriminals is Neutrino, although they noticed similarities to Sweet Orange.
According to them, the infection begins with JavaScript, which decrypts an HTML file and a VB script. The HTML exploits an older Internet Explorer (6 through 10) vulnerability (CVE-2013-2551), which is then loaded as an iframe, while the VB script proceeds to download the Kovter Trojan by exploiting a flaw (CVE-2014-6332) that affects unpatched versions of Windows starting with Server 2003.
Introducing bad ads in the legitimate stream of a network is not a new technique, but cybercriminals are constantly developing new tricks to deceive the analysis algorithms and achieve their goals.
Some of the methods used include deploying the malicious campaign with a delay, as well as serving the exploit only to visitors who meet certain requirements, such as geographical location, or run a specific web browser.