Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Zero-Day Patched by Microsoft Used for Malvertising Since 2014

A zero-day vulnerability patched by Microsoft this week in its Internet Explorer and Edge web browsers has been exploited by cybercriminals in malvertising campaigns since 2014.

A zero-day vulnerability patched by Microsoft this week in its Internet Explorer and Edge web browsers has been exploited by cybercriminals in malvertising campaigns since 2014.

The September 2016 Patch Tuesday security bulletins released by Microsoft address a total of nearly 50 vulnerabilities, including CVE-2016-3351, a browser security hole that has been exploited in the wild.

According to Microsoft, the flaw can be exploited via specially crafted websites to obtain information that can be used to further compromise a targeted system. While the issue affects both browsers, there is no evidence that it has been exploited against Edge users.

Proofpoint researcher Kafeine said the vulnerability has been leveraged in malvertising campaigns since at least January 2014, when it was used to deliver Reveton ransomware via the now-defunct Angler exploit kit.

One of the threat actors that leveraged this exploit is AdGholas. The group is known for a massive, long-running malvertising campaign that reached millions of machines every day and resulted in thousands of users getting infected with malware on a daily basis.

AdGholas used steganography and apparently low-level information disclosure flaws to evade detection. One of these flaws is CVE-2016-3351, which they leveraged to avoid virtual machines and sandboxes.

Advertisement. Scroll to continue reading.

The attackers used the vulnerability to conduct MIME-type checks and identify systems where certain file types that are typically used by researchers during threat analysis are not associated with any software. The list of targeted file extensions included .py, .pcap and .saz. In some cases, exploitation only continued if common file types, such as .mkv and .doc, were associated with an application.

The vulnerability was first reported to Microsoft in 2015 and again this year by Proofpoint and Trend Micro after they jointly investigated the AdGholas campaign.

“Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,” Kafeine warned.

Researchers determined that, in addition to AdGholas, the flaw had also been exploited by GooNky, another major cybercrime group specializing in malvertising campaigns. GooNky is known for abusing free digital certificates from Let’s Encrypt in its malvertising attacks.

By monitoring GooNky’s activities, researchers learned in June that the Angler exploit kit might have met its demise following the Russian Lurk gang arrests. The group, which had been exclusively using Angler to deliver CryptXXX ransomware, had started using Neutrino instead.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.