Malvertising Campaign Targets Adult Websites to Distribute Ramnit Worm
A new malvertising campaign has been discovered using popular adult websites (each with several million visits per month) to target primarily Canadian and UK visitors. Using pop-under ads, victims were ultimately directed to the RIG exploit kit which sought to drop Ramnit.
Malwarebytes lead malware intelligence analyst Jerome Segura reports that a campaign using the ExoClick ad network sought to infect victims with the Ramnit information-stealing worm.
An earlier Ramnit botnet was dismantled in a joint operation involving security firms and European police agencies in February 2015; but the malware returned before the end of the year. This was followed by a quiet period until a new version, possibly with a new master, emerged in the summer of 2016.
The danger with malvertising is that it is invisible to the eye and effective from trusted sites. One method of mitigating this threat is to use an ad blocker which prevents all third-party ads, both benign and malicious, from being loaded. Publishers, however, are increasingly detecting such software and not allowing visitors to see the content. This is, strictly speaking, illegal within the European Union, but still happens.
A second defense is to rely on an up-to-date mainstream anti-virus product and hope that it detects the malvertising payload. Segura recommends both. “Ad-blockers are quite effective as a first line of defense to stop malvertising in general,” he told SecurityWeek, “while security products will mitigate exploits and malware payload. One solution should not replace the other and they actually complement each other nicely.”
“Beyond the Internet of Things, which is a whole different category that’s scary in itself, the more generic threats we see on PCs, laptops, and on phones are all still on the radar.” Webroot Senior Threat Research Analyst Tyler Moffitt said. “In tandem with those I would list phishing and exploit kits together, since they’re making advancements, as well.”
Because malvertising may be unfamiliar to many IT professionals, Moffitt first provides a brief description of how malvertising operates: “Essentially, cyber criminals submit booby-trapped advertisements to ad networks for their real-time bidding processes. And these ad networks that supply the ads … you might not know it, but it’s not done by a human. It’s all done by an algorithm.”
Exploiting this lack of human oversight, the cyber criminals begin by lulling the ad networks into a false sense of security. According to Moffitt, “These guys submit authentic ads for a couple weeks, so they get a decent reputation that will last for a little while. Then they submit the booby-trapped ads. These malicious ads rotate with normal ads on legitimate, highly reputable sites. After that, victims don’t have to do anything but click on the ad.”
Moffitt concludes, “The exploit landing page is typically so well implemented—attacking Flash Player, Java, Word and Silverlight vulnerabilities—that it’s able to download the DLL and unload its instructions into the memory of the browser, whether it’s Internet Explorer, Firefox or Chrome. That open process, active process, is actually being used to perform the encryption on you. It’s definitely scary and something to watch out for.”