14 DAY TRIAL // Malicious redirection scripts have been found in the Flash advertisements of a rogue ad network, which is presumably controlled by a Russian group.
As advertisements become more targeted, an increased number of users tend to click on them to check out the offer. This attack vector has not been overlooked by cybercriminals who started poisoning the ads to point the user to a malware-delivering website.
Security researchers at Malwarebytes say that the advertisement have been distributed on 123greetings.com and a website providing adult content.
By running this sort of scheme, it looks like the crooks benefit from a double stream of revenue, because they receive a commission for each user who clicks on the advertisement and get to rip off the owners of the infected computers.
Senior security researcher Jerome Segura decomposed such a piece of advertisement built with Adobe Flash and discovered that the code contained lines redirecting an unsuspecting user to a harmful location.
The website serves an exploit kit known as RIG, which takes advantage of vulnerabilities in Flash (CVE-2014-0497, CVE-2013-0634) and Silverlight (CVE-2013-0074, CVE-2013-3896).
The researcher says that the cybercriminals resorted to several methods to hide the malicious activity. First of all, there is a redirect to a safe location and there is no exploit or malicious URLs in the SWF file. Next, they make sure the system is not a debugger that can be used to analyze the code.
Another measure to avoid all suspicion is that the redirection occurs only once for each IP address; this makes reproducing the redirect more difficult.
The landing page with the RIG exploit kit seems to be hosted in the CloudFlare network and it is very likely to be shut down in order to stop further criminal activity.
As for the malware downloaded by leveraging the Flash and Silverlight vulnerabilities, Malwarebytes detects it as Trojan.Agent.ED, which could be some sort of ransomware or banking Trojan.
“This particular ad may have been placed on a number of websites, big and small and leading to several thousand infections,” said Segura.
Malwarebytes is not at its first encounter with this malvertising network, and the general recommendation is to disable ads by using software such as NoScript, a simple browser extension that can disable Flash on the visited pages.
Jerome Segura says that leveraging Flash and Silverlight flaws has seen an increase lately, and that this type of scheme is sometimes preferred instead of exploits for Java.