14 DAY TRIAL // For the past week, German users visiting certain websites have been facing a barrage of malicious ads that have been leading them to Web pages infected with various types of rootkits, banking trojans, and clickfraud bots.
The campaign was observed by two security vendors, Invincea and Malwarebytes, and affected websites like T-Online.de, eBay.de, Deutschewelle.pw, Deutschlandauto.xyz, Arcor.de, Swp.de, fischkopf.de, and donaukurier.de.
Malwarebytes named this malvertising campaign "Kampagen," the German word for "campaign."
T-Online was the biggest website that displayed the malicious ads
According to Invincea, in some instances of the campaign, and more specifically via the T-Online.de website, Germany's biggest ISP, the hackers were dropping the Tinba rootkit and banking trojan, and the Bedep clickfraud bot.
Tinba was used to spy on user activities, capturing details about banking and financial operations, while Bedep helped attackers raise their profits by taking over mouse actions and clicking on specific ads inside an invisible browser.
As Invincea is reporting, the attackers involved in this campaign managed to evade detection by various antivirus engines by using a novel malware assembly technique called just-in-time (JIT) malware assembly.
Multi-stage malware assembly is becoming more popular with hackers
The technique was previously analyzed and described by both Invincea and ESET security researchers. As Invincea security experts are reporting, the Tinba banking trojan was using multiple stages and various Windows scripting utilities to assemble itself, allowing it to pass undetected by regular anti-virus engine scans.
In the cases Malwarebytes is reporting on, the attackers used the Angler and the Neutrino exploit kits to infect their victims.
MP New Media, the advertising network on whose infrastructure the attack was being launched from, was notified and eventually removed the malicious ads.
Putting together the estimated total monthly visitors to each site, around 220 million users were exposed to the Kampagen malvertising campaign.
