Security Experts:

Zero-Day Patched by Microsoft Used for Malvertising Since 2014

A zero-day vulnerability patched by Microsoft this week in its Internet Explorer and Edge web browsers has been exploited by cybercriminals in malvertising campaigns since 2014.

The September 2016 Patch Tuesday security bulletins released by Microsoft address a total of nearly 50 vulnerabilities, including CVE-2016-3351, a browser security hole that has been exploited in the wild.

According to Microsoft, the flaw can be exploited via specially crafted websites to obtain information that can be used to further compromise a targeted system. While the issue affects both browsers, there is no evidence that it has been exploited against Edge users.

Proofpoint researcher Kafeine said the vulnerability has been leveraged in malvertising campaigns since at least January 2014, when it was used to deliver Reveton ransomware via the now-defunct Angler exploit kit.

One of the threat actors that leveraged this exploit is AdGholas. The group is known for a massive, long-running malvertising campaign that reached millions of machines every day and resulted in thousands of users getting infected with malware on a daily basis.

AdGholas used steganography and apparently low-level information disclosure flaws to evade detection. One of these flaws is CVE-2016-3351, which they leveraged to avoid virtual machines and sandboxes.

The attackers used the vulnerability to conduct MIME-type checks and identify systems where certain file types that are typically used by researchers during threat analysis are not associated with any software. The list of targeted file extensions included .py, .pcap and .saz. In some cases, exploitation only continued if common file types, such as .mkv and .doc, were associated with an application.

The vulnerability was first reported to Microsoft in 2015 and again this year by Proofpoint and Trend Micro after they jointly investigated the AdGholas campaign.

“Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,” Kafeine warned.

Researchers determined that, in addition to AdGholas, the flaw had also been exploited by GooNky, another major cybercrime group specializing in malvertising campaigns. GooNky is known for abusing free digital certificates from Let’s Encrypt in its malvertising attacks.

By monitoring GooNky’s activities, researchers learned in June that the Angler exploit kit might have met its demise following the Russian Lurk gang arrests. The group, which had been exclusively using Angler to deliver CryptXXX ransomware, had started using Neutrino instead.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.