Nmedia - Fotolia

How does the Stegano exploit kit use malvertising to spread?

A malvertising campaign by the AdGholas group has been found spreading the Stegano exploit kit. Expert Nick Lewis explains how web advertisements are used in this attack.

The Stegano exploit kit, previously known as Astrum, is being spread through a malvertising campaign. ESET researchers say that they have seen many major domains, including news websites that see daily traffic in the millions, hosting these malicious graphics. How does Stegano use web advertisements to its advantage? How can users spot malvertising on the websites they visit?

This should go without saying, but using a web browser on the internet continues to be a leading cause of malware infections. When someone installs Flash on their computer, things often only get worse.

Attackers continue to exploit pervasive vulnerabilities to achieve their goals. It's unrealistic to tell everyone to give up and live in the woods, so people and enterprises will continue to be victimized by malware.

ESET researchers have observed a new attack where third-party ads are used to distribute the Stegano exploit kit. This malvertising campaign has been attributed to the AdGholas group.

The Stegano malware uses Internet Explorer and Flash Player vulnerabilities to compromise the security of the endpoint. The malware calls up a JavaScript function that checks the configuration settings on the endpoint to see if it is monitoring for malware, in which case the legitimate webpage is displayed to avoid detection. If not, the malicious version of the webpage containing a Flash file with encrypted exploits will be loaded on the browser. The malware uses steganography to hide and eventually decode JavaScript from a 1x1 GIF image used in a banner ad.

The malware continuously checks if debuggers, network sniffers or other security tools are running and, if so, the malware terminates to prevent further analysis. Once the exploits run, additional malware is downloaded to take complete control of the system.

As ESET points out, the malicious ad that delivers the Stegano exploit kit doesn't appear to be significantly different from a legitimate ad. Since a regular person probably won't compare the two, it is unlikely they will notice any difference. It may not even be possible to spot malicious ads based on just visual inspection, so standard security awareness guidance may not be that helpful.

There are some basic steps enterprises and individuals can take to protect themselves from malvertising. ESET recommends keeping endpoints updated and installing an endpoint security tool.

Organizations with websites providing third-party ad services or that include third-party ads should secure them against malvertising by vetting the identity of the person requesting the ads, checking the ads for malware before posting, converting images into a common format to strip out potentially malicious content and setting up an automated system to periodically check the website for malware by downloading the webpages from a potentially vulnerable system. 

Next Steps

Learn how to manage vulnerable software at risk for being targeted by exploit kits

Find out how CryptXXX ransomware spreads through legitimate websites

Discover how malicious TIFF images are used to exploit LibTIFF library flaws

This was last published in May 2017

Dig Deeper on Network security