Security Experts:

RIG Exploit Kit Used in Flash-Based Malvertising Campaign

Flash-based ads are being used by an advertising network to lure the visitors of various websites to a landing page that has been set up to distribute malware, Internet security firm Malwarebytes said on Thursday.

According to the company, the malicious advertising (malvertising) campaign relies on ads created with Adobe Flash that have appeared on a popular adult website and on a site that offers free e-cards. A close analysis of the ad's source code revealed that it was designed to trigger a malicious redirection when loaded by creating an iframe for a URL that's on the same domain as the advertising server.

The landing page hosts the RIG exploit kit, which attempts to exploit Adobe Flash and Microsoft Silverlight vulnerabilities in order to push a piece of malware identified as Trojan.Agent.ED, Malwarebytes said.

In June, Cisco reported that cybercriminals had been using the RIG exploit kit, which surfaced on cybercrime forums in April, to deliver the file-encrypting ransomware Cryptowall via similar malvertising techniques.

In an effort to remain unnoticed, the ad network designed the Flash ads so that they don't contain any malicious URLs, they don't exploit any Flash vulnerabilities in order to work, and the URL they call is obfuscated. In addition, the attackers set in place certain checks to ensure that the redirection doesn't occur on incompatible systems or debuggers. The redirection is triggered only on Windows systems with a screen resolution greater than 400x600 pixels, with ActiveX enabled, and only once per IP address.

"This particular ad may have been placed on a number of websites, big and small and leading to several thousand infections," Malwarebytes senior security researcher Jerome Segura noted in a blog post published on Thursday.

Segura noted that the ad network, which uses fake registration details and hides behind CloudFlare, had been flagged as a rogue service by researchers in the past.

Typically, ad networks and website owners earn a commission every time they lead a user to the advertised site. However, in this case, the website owner is unknowingly infecting its visitors' computers with malicious software, while the ad network makes profit not only for impressions and clicks, but also for distributing malware.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.