Alleges attack allowing targeted Trojans was known long before Redmond’s wranglers roped it
Security researcher Kafeine says one of this week’s Microsoft patches addresses a vulnerability it knew of since last year, and may only have pulled the patching trigger after a spate of banking trojan attacks.
The attacks utilised the low-level flaw (CVE-2016-3351) for cloaking purposes among an arsenal of exploits.
The earliest attacks using the since-defeated exploit date back to January 2014, and as recently as July when it was stopped by Kafeine and others.
The most recent of the malvertising campaigns, AdGholas, sent up to a million users every day to the local banking trojans.
The bug was first reported last year and only received a CVE from Microsoft in July when Proofpoint and Trend Micro collaborated on research into the AdGholas and GooNky groups.
Attackers deployed the dangerous Nutrino exploit kit before dropping Terdot.A when they detected UK victims, Gozi ISFB for Canadians, DELoader for Australians, and Gootkit for users browsing from Spain.
The commended Proofpoint malware prober says the low-level bugs fixed this week allowed the now dead Angler exploit kit gang, along with current actors AdGholas and GooNky, to reduce the likelihood their “massive, long running” malvertising campaigns would be detected.
Kafeine says it is an example of why patching small bugs is important.
“The bottom line? As much as possible, software vendors need to maintain comprehensive patching regimens, organisations and users must rethink patching prioritisations, and researchers need to look for new avenues to detect malicious activity,” Kafeine says.
The flaw allowed attackers to obtain browser fingerprinting information which could help reveal if virtualised systems were used by potential targets.
Malvertising scams are known for profiling victim machines before deploying payloads in a bid to avoid white hats and extend the amount of time attack campaigns can operate undetected.
Kafeine says researchers found attacks using the flaw back in 2014 after “additional archeological work”.
“Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,”Kafeine says.
“In this case, the AdGholas group used such a bug specifically to avoid detection by researcher and vendor automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation.”
The bank trojans were being dropped until Kafeine and fellow researchers reported the attacks to advertising networks whose infrastructure was being abused. ®