Connect with us

Hi, what are you looking for?


Malware & Threats

Zero-Day Patched by Microsoft Used for Malvertising Since 2014

A zero-day vulnerability patched by Microsoft this week in its Internet Explorer and Edge web browsers has been exploited by cybercriminals in malvertising campaigns since 2014.

A zero-day vulnerability patched by Microsoft this week in its Internet Explorer and Edge web browsers has been exploited by cybercriminals in malvertising campaigns since 2014.

The September 2016 Patch Tuesday security bulletins released by Microsoft address a total of nearly 50 vulnerabilities, including CVE-2016-3351, a browser security hole that has been exploited in the wild.

According to Microsoft, the flaw can be exploited via specially crafted websites to obtain information that can be used to further compromise a targeted system. While the issue affects both browsers, there is no evidence that it has been exploited against Edge users.

Proofpoint researcher Kafeine said the vulnerability has been leveraged in malvertising campaigns since at least January 2014, when it was used to deliver Reveton ransomware via the now-defunct Angler exploit kit.

One of the threat actors that leveraged this exploit is AdGholas. The group is known for a massive, long-running malvertising campaign that reached millions of machines every day and resulted in thousands of users getting infected with malware on a daily basis.

AdGholas used steganography and apparently low-level information disclosure flaws to evade detection. One of these flaws is CVE-2016-3351, which they leveraged to avoid virtual machines and sandboxes.

The attackers used the vulnerability to conduct MIME-type checks and identify systems where certain file types that are typically used by researchers during threat analysis are not associated with any software. The list of targeted file extensions included .py, .pcap and .saz. In some cases, exploitation only continued if common file types, such as .mkv and .doc, were associated with an application.

The vulnerability was first reported to Microsoft in 2015 and again this year by Proofpoint and Trend Micro after they jointly investigated the AdGholas campaign.

Advertisement. Scroll to continue reading.

“Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,” Kafeine warned.

Researchers determined that, in addition to AdGholas, the flaw had also been exploited by GooNky, another major cybercrime group specializing in malvertising campaigns. GooNky is known for abusing free digital certificates from Let’s Encrypt in its malvertising attacks.

By monitoring GooNky’s activities, researchers learned in June that the Angler exploit kit might have met its demise following the Russian Lurk gang arrests. The group, which had been exclusively using Angler to deliver CryptXXX ransomware, had started using Neutrino instead.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.