Novel malvertising attack leads to drive by ransomware

Today Kaspersky issued a Threatpost: regarding the evolving malvertising and ransomware threat.

It can be incredibly distuptive, costly, and in some cases devastating in its consequences so we at Sec-1 Ltd have taken a look at what it means in terms of: – is there anything about this news that is surprising, unique or novel? – what is the real threat from this? – how should users and organisations respond?

Taking a look at the ThreatPost article we didn’t find this surprising at all; it’s reminiscent of another article (​) posted in 2014 referencing attacks from 2012.

Exploitation toolkits give attackers an easy method of deploying malicious payloads to victims to allow a large degree of control over their machines. Couple that with the fact that ​ransomware has been proven to be profitable to criminals. Add this to the fact that malvertising is an effective method of hitting a large and varied number of potential victims and it’s unsurprising that they are continuing to utilise these tactics. Given its profitability ransomware has evolved, as has been the case with malware trends for the past 2 decades, into ‘toolkits’. These toolkits allow the chaining of exploitation and evasion tactics allowing them to get around traditional security defences such as anti-virus and firewalls. The usual tactics of ‘script src=’ or hidden iframes are well known techniques for issuing a browser redirection for malvertising – this 302 ‘cushioning’ (what seems to be essentially 302 redirects over iframes) is a new technique – and when coupled with domain shadowing, also used by this toolkit, can lead to an effective compromise of a target.

The real threat here to end-users is the potential impact of the ransomware payloads. Regardless of how they are delivered if users are hit with ransomware they risk losing all of their data: – that includes all of those family photos stored on your laptop, or that assignment you’re working on for university. The files that each user has that they consider critical differs greatly, but all users have something on their machines that would be a terrible loss to them if they couldn’t access it. That’s what ransomware does, it encrypts your harddisk and denies you access to your files until you pay the ransom.

Generally speaking, exploitation toolkits do not deploy “Zero day exploits” but utilise well known payloads, in this case a payload from 2013. This means that not all hope is lost for end users are there are steps, to back up the tried and tested “defence in depth” policy, they can take to ensure they are protected:

Patch as soon as you can!

Configure your computer to automatically install updates for both your web browser and your operating system. The challenge here is not to wait until day 30 of the “accepted” window for applying patches but to do it closer to the day the patch is released. In this example the ransomware was launched well before the patches are commonly applied – as such, the threat is more immediate, especially given our natural inclination to click on a link in an email or other communication, without necessarily having done our background checking for the link’s validity.

Back-ups and Separation of Storage

Backup important data on external hard disks that are not usually connected to your machine. If the disk isn’t connected then the malware can’t encrypt it and deny access! Backup regularly.

Update your antivirus, regularly!

The URL in the Email won’t be the only route to what you want if its legitimate

Employ good practices when receiving email, if it’s asking to you to “click” think twice before you do! In the corporate world there are many more ways to apply controls using Digital Signing of emails, broad scale and regular awareness training programs that engender good habits of not clicking on malware links and help enforce corporate policy. Given the rise in Advanced Persistent Threats this clearly has benefits wider than just holding sensitive data to ransom.

Stop and think before you Click

The reality is that phishing emails and malvertising are looking to exploit our trust in brands so that we just click, resulting in us walking into these types of attack. There is a simple way of avoiding these attacks simply by using the more formal way of arriving at the same information. If you like what the malvertisment is offering then use a search engine to find the destination rather than click the advert. In the same way as in email, if amazon or ebay are emailing you there will be an email in the message board withtin their application. Rather than follow the link in the email, login to the application and find a different route to the same info.

Other links…

SC Magazine – Novel malvertising attack leads to drive by ransomware


This entry was posted in News and tagged , , . Bookmark the permalink.

Comments are closed.