In the wake of the recent Java zero-day vulnerability (CVE-2013-0422) being exploited in the wild, the research team at Trusteer, an IBM company, has investigated a new type of viral campaign, which distributes Blackhole exploit kits that use this vulnerability to compromise user endpoints.

False Malvertising

Malvertising, or malicious advertising, denotes the use of online advertising to spread malware. A practice that can be inserted into reputable, high-profile websites, malicious advertising provides an opportunity to “push” exploits to Web users. Trusteer’s research team recently recorded a criminal campaign in which hackers used the Clicksor ad network to distribute the Blackhole exploit kit (Clicksor is a popular ad network, ranked 152 by Alexa). Using Clicksor as the malvertising platform allows hackers to reach a very wide audience while allowing the hacker to distribute the malware at a very low cost, starting at $0.50 per 1,000 impressions. Clicksor — and other legitimate online advertising services — has no idea, of course, that these paid, seemingly legitimate advertisements contain malware.

The recent Java zero-day vulnerability, which has been folded into exploit kits like Blackhole, automates the exploitation of computers via Web-browser vulnerabilities. As a result, the endpoint may be automatically compromised with malware when an unpatched browser is used to access a site that displays malicious Clicksor ads — without the user ever opening the ad.

While tracking Blackhole exploits delivered via malvertising, Trusteer’s research team found dozens of sites and domains that are currently hosting malvertising campaigns. About 9 percent of the exploits originated from Clicksor, but at least 10 other ad networks were hosting similar malvertising campaigns, including, Hooqy Media Advertiser, Traff, Banners Broker, AdFly, Paypopup, and ExoClick. Although analysts cannot quantify the number of malicious advertisements being served, they believe the number is in the hundreds of thousands — if not millions.

The Malvertising Campaign Explained

1. Malvertising starts with a site that embeds the legitimate Clicksor service:

Figure 1: Legitimate Clicksor service embedded in a website.

2. When the user accesses the page, the Clicksor snippet is legitimately loaded as part of the page (user does not click on the ad):

Figure 2: Clicksor ad loaded into the Web page.

3. The website embeds the Clicksor service snippet (a legitimate part of the ad content):

4. The Clicksor service snippet redirects the browser to get content for the ad. In this case, it is redirected to a site that hosts the malicious Blackhole exploit kit. Note that there is no direct link between the site that embedded the service and Blackhole, and that the referer field continues to show that the ad came from Clicksor:

5. Blackhole downloads the Java applet that exploits the zero-day vulnerability:

6. Process Monitor shows Internet Explorer (IE) exploiting vulnerabilities through the Java applet that downloads and executes the malware (“C:\Users\user\wgsdgsdgsdsgsd.exe”):

7. The website displays the ad served by Clicksor. In this case, the content received didn’t include an image, so it appears as if it didn’t load correctly. The user is not aware that the endpoint has been compromised:

It is strongly recommended that all endpoints be patched as soon as possible. In case a patch can’t be effectively deployed on all endpoints — and for ongoing protection against unpatched vulnerabilities — an Exploit Prevention Security Layer should be implemented to protect the endpoints from compromise.

More from Malware

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read