- Jul 22, 2014
- 2,525
Microsoft has patched a zero-day vulnerability that was used in the massive AdGholas malvertising campaign and later integrated into the Neutrino exploit kit.
AdGholas came to light in July 2016, when security firms Trend Micro and Proofpoint uncovered a malvertising campaign that had compromised 22 different ad networks.
The campaign, which appeared to have been running since 2013, was targeting over one million users per day and infecting thousands.
Latest vulnerability was part of a zero-day trifecta
At the core of its operations was an arsenal of browser and OS vulnerabilities, including several zero-days, which the security firms reported to Microsoft.
Microsoft patched the first zero-day in September, in security bulletins MS16-104 and MS16-105. This zero-day, tracked as CVE-2016-3351, allowed the AdGholas operators to query the Windows OS (through IE or Edge) and discover if certain file extensions had been assigned to locally installed applications.
If file extensions specific to security products, virtual machines, or sandboxing environments were found, the attack would stop and skip that particular machine.
One month later, Microsoft patched a second zero-day, CVE-2016-3298, via security bulletins MS16-118 and MS16-126. This zero-day affected Internet Explorer.
Just like the first, this one allowed the AdGholas team to discover if certain files existed on disk, files specific to security products and sandboxing environments.
Third zero-day fixed in March Patch Tuesday
...
AdGholas came to light in July 2016, when security firms Trend Micro and Proofpoint uncovered a malvertising campaign that had compromised 22 different ad networks.
The campaign, which appeared to have been running since 2013, was targeting over one million users per day and infecting thousands.
Latest vulnerability was part of a zero-day trifecta
At the core of its operations was an arsenal of browser and OS vulnerabilities, including several zero-days, which the security firms reported to Microsoft.
Microsoft patched the first zero-day in September, in security bulletins MS16-104 and MS16-105. This zero-day, tracked as CVE-2016-3351, allowed the AdGholas operators to query the Windows OS (through IE or Edge) and discover if certain file extensions had been assigned to locally installed applications.
If file extensions specific to security products, virtual machines, or sandboxing environments were found, the attack would stop and skip that particular machine.
One month later, Microsoft patched a second zero-day, CVE-2016-3298, via security bulletins MS16-118 and MS16-126. This zero-day affected Internet Explorer.
Just like the first, this one allowed the AdGholas team to discover if certain files existed on disk, files specific to security products and sandboxing environments.
Third zero-day fixed in March Patch Tuesday
...
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}