Researchers with Raytheon|Websense have identified a massive malvertising campaign that has hit Web users in Europe and the U.S.
The attack is focused on users browsing several well-trafficked sites, including CNN Indonesia, the official website of Prague Airport, Detik, AASTOCKS, RTL Television Croatia and the Bejewled Blitz game on Facebook. According to the researchers, the attack leads users to the Angler Exploit kit, which leverages a vulnerability in Adobe Flash Player (CVE-2015-3090) to infect users with the Bunitu Trojan.
"Revive Adserver is an open source advertizing technology formerly known as OpenX Source," the researchers noted in a blog post. "It allows businesses to host and manage their own advertizing services rather than relying on third party services, and it is common for multiple websites to use the same Revive Adserver script. We have seen compromised Revive Adserver scripts used in malvertising in the past, and seemingly this continues to be a target of interest for cybercriminals. The code injected into the compromised Revive Adserver scripts in this campaign have been seen to lead to the very prevalent Angler Exploit Kit."
The injected code is not always sent when the script is requested, and the Angler kit will only serve the malicious exploit code once per IP address in a 24-hour period. Since April, researchers have compromised Revive Adserver scripts being used by several sites, some of which only seem to contain the injected code for 24 hours, while others have remained compromised for weeks, the researchers found.
Once the Bunitu Trojan is dropped on the victim's machine, it turns the system into a zombie computer. The malware drops and loads a DLL within its own process that opens two random ports on the infected machine for a SOCKS5 proxy and a HTTP proxy. It also has back-up infrastructure in case the hard-coded call home server is not available.
"Ad networks are pervasive and ads are the economic backbone of the internet – hence very juicy targets," explained Rajiv Motwani, Raytheon|Websense director of security research. "Like any other piece of code, ad networks can also be exploited and we have seen a large uptick in malvertising over the last couple of years. Once an ad network is compromised, an attacker could serve malware to any subset of visitors to the sites using that ad network and even use very precise targeting of the victims depending on the functionality made available by the ad network, which is typically good."