Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Massive Malvertising Network is 9 Times Bigger Than Originally Thought: Cisco

New research from Cisco Systems shows the ‘Kyle and Stan’ malvertising network is much bigger than it first appeared.

In fact, it is nine times bigger.

New research from Cisco Systems shows the ‘Kyle and Stan’ malvertising network is much bigger than it first appeared.

In fact, it is nine times bigger.

Two weeks ago, Cisco’s Talos Security Intelligence and Research Group revealed the existence of the network, which was responsible for placing malicious advertisements on websites such as amazon.com, ads.yahoo.com, youtube.com and 70 other domains. What they found however, was just the beginning.

“The “Kyle and Stan” network is a highly sophisticated malvertising network,” blogged Armin Pelkmann, threat researcher with Cisco. “It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users. The goal is to infect Windows and Mac users alike with spyware, adware, and browser hijackers.”

Advertisement. Scroll to continue reading.

According to Pelkmann, Cisco has now isolated 6,491 domains sharing the same infrastructure – more than nine times more than the previously reported 703 domains.

“We have observed and analyzed 31151 connections made to these domains,” he blogged. “This equals over 3 times the amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.”

The first attempts to spread malware, spyware and adware are dating back to January 2012, he wrote.

“The domains of the type kyle.mxp677.com, stan.mxp681.com and lpmxp47.com seem to have usually a relatively short lifespan until they get replaced,” he blogged. “The attacker seems to use them for a short while, burn them and move on to the subsequent number. Domains like megashre.info or file36.com seem to be used for a longer period and are still active.”

“Noteworthy is that the popular domain www.winrar.com is also part of  these attackers network,” he continued. “The website is build to fool visitors into believing they are installing the popular compression tool WinRar, but instead they are downloading malware. This website exhibits a significant traffic load and is a good example on how the attackers behind this network are trying to fool users into installing their malware.

The malware droppers used in the campaign leverage “clever techniques and encryption” to ensure unique checksums to avoid detection, Pelkmann noted.

“The count of websites connected to the attacker’s infrastructure is now up to 6491 and is growing daily,” he wrote. “The fact that parts of this infrastructure date back to January 2012 is concerning, as it shows that the threat actors have been active for over 2 and a half years.”

In its 2014 Midyear report, Cisco called malvertising a “disruptor for the Internet economy.”

“Malvertising is becoming more prevalent, and adversaries are able to launch highly targeted campaigns,” the report notes. “A malvertiser who wants to target a specific population at a certain time—for example, soccer fans in Germany watching a World Cup match—can turn to a legitimate ad exchange to meet their objective.”

Last week, researchers with MalwareBytes reported that the websites of The Times of Israel and The Jerusalem Post were serving malicious advertisements that redirected victims to a page hosting the Nuclear Exploit kit.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...