According to the ESET report, weaponized ad banners were stored on an external link, with the ability to - without requiring any user interaction - to gather "information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin."
The script encoded in the alpha channel of the weaponized ad will then check for monitoring tools (see a list at the end of the article) by using IE exploit CVE-2016-0162.
”If the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page, via the TinyURL service. The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim’s system."
After another check, "the payload is then decrypted and launched via regsvr32.exe or rundll32.exe. Payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders."
See more, including detailed technical analysis @ the link provided above.
Thank you for reading!
Comparison of weaponized and clean ad:
The script encoded in the alpha channel of the weaponized ad will then check for monitoring tools (see a list at the end of the article) by using IE exploit CVE-2016-0162.
”If the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page, via the TinyURL service. The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim’s system."
After another check, "the payload is then decrypted and launched via regsvr32.exe or rundll32.exe. Payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders."
See more, including detailed technical analysis @ the link provided above.
Thank you for reading!
Comparison of weaponized and clean ad:
