Level 75
Researchers from ESET have warned that millions of internet users visiting popular news sites over the past few months may have been exposed to a malicious malvertising campaign.

The firm says that the cyber-criminals behind the campaign have been, since as least the beginning of October, distributing malicious ads promoting applications calling themselves “Browser Defence” and “Broxu” which redirect users to the Stegano exploit kit.

ESET added:

“Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin.

“Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine,” and if the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page.

Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cyber-criminals behind this attack – yet another check to verify that it is not being monitored. If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.

Apparently, payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders.

“This type of malicious activity shows clearly how cyber-criminals are adapting to the best means to distribute and infect as many as possible through the platforms that work," Mark James, IT security specialist at ESET, told Infosecurity. "There is a misconception that you have to visit ‘dodgy’ websites to get infected, but cyber-criminals are not stupid, why infect somewhere with a relatively small footfall when you can infect a website with infinitely more visitors thinking they are safe because they trust the name of the vendor?

“Some users still believe you actually have to click on a link or run a file to actually start the infection process, and what’s worse is in most cases the actual owner of the website is totally unaware they have a problem.”

The key to defending yourself, added James, is making sure you have a good regular updating internet security product installed along with keeping your operating system and applications patched and up-to-date.

Full Article. Payloads include backdoors, banking trojans & file stealers


Level 19
Its a cat and mouse game. New malwares with new infection techniques will come and new security tool to combat them will also come out. This will never end. One interesting thing about the above malware is that its checks if it is being monitored and more interesting is that despite this feature it could not stop itself to be detected by researchers at Eset. Good work Eset.


Staff member
Malware Hunter
It's very bad that an user just needs to visit the wrong page to start the infection process, so not only "heavy clicker" are at risk as many wrongly believe, but also that the bad guys now check if they are being analyzed/ monitored and if/what AV you have... unfortunately I think this will get more and more common making also detection more difficult....:(
That's why I believe a good AV is a must on every system as" good" habits (updated OS+ programs, no" risky clicks").