Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Zero-Day Patched by Microsoft Used for Malvertising Since 2014

A zero-day vulnerability patched by Microsoft this week in its Internet Explorer and Edge web browsers has been exploited by cybercriminals in malvertising campaigns since 2014.

A zero-day vulnerability patched by Microsoft this week in its Internet Explorer and Edge web browsers has been exploited by cybercriminals in malvertising campaigns since 2014.

The September 2016 Patch Tuesday security bulletins released by Microsoft address a total of nearly 50 vulnerabilities, including CVE-2016-3351, a browser security hole that has been exploited in the wild.

According to Microsoft, the flaw can be exploited via specially crafted websites to obtain information that can be used to further compromise a targeted system. While the issue affects both browsers, there is no evidence that it has been exploited against Edge users.

Proofpoint researcher Kafeine said the vulnerability has been leveraged in malvertising campaigns since at least January 2014, when it was used to deliver Reveton ransomware via the now-defunct Angler exploit kit.

One of the threat actors that leveraged this exploit is AdGholas. The group is known for a massive, long-running malvertising campaign that reached millions of machines every day and resulted in thousands of users getting infected with malware on a daily basis.

AdGholas used steganography and apparently low-level information disclosure flaws to evade detection. One of these flaws is CVE-2016-3351, which they leveraged to avoid virtual machines and sandboxes.

The attackers used the vulnerability to conduct MIME-type checks and identify systems where certain file types that are typically used by researchers during threat analysis are not associated with any software. The list of targeted file extensions included .py, .pcap and .saz. In some cases, exploitation only continued if common file types, such as .mkv and .doc, were associated with an application.

The vulnerability was first reported to Microsoft in 2015 and again this year by Proofpoint and Trend Micro after they jointly investigated the AdGholas campaign.

“Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,” Kafeine warned.

Researchers determined that, in addition to AdGholas, the flaw had also been exploited by GooNky, another major cybercrime group specializing in malvertising campaigns. GooNky is known for abusing free digital certificates from Let’s Encrypt in its malvertising attacks.

By monitoring GooNky’s activities, researchers learned in June that the Angler exploit kit might have met its demise following the Russian Lurk gang arrests. The group, which had been exclusively using Angler to deliver CryptXXX ransomware, had started using Neutrino instead.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.