Rootkits and Banking Trojans Distributed via Malvertising Campaign on T-Online and eBay Germany

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Attackers were using multi-stage malware assembly techniques to deliver their malware past antivirus engines
For the past week, German users visiting certain websites have been facing a barrage of malicious ads that have been leading them to Web pages infected with various types of rootkits, banking trojans, and clickfraud bots.

The campaign was observed by two security vendors, Invincea and Malwarebytes, and affected websites like T-Online.de, eBay.de, Deutschewelle.pw, Deutschlandauto.xyz, Arcor.de, Swp.de, fischkopf.de, and donaukurier.de.

Malwarebytes named this malvertising campaign "Kampagen," the German word for "campaign."

T-Online was the biggest website that displayed the malicious ads
According to Invincea, in some instances of the campaign, and more specifically via the T-Online.de website, Germany's biggest ISP, the hackers were dropping the Tinba rootkit and banking trojan, and the Bedep clickfraud bot.

Tinba was used to spy on user activities, capturing details about banking and financial operations, while Bedep helped attackers raise their profits by taking over mouse actions and clicking on specific ads inside an invisible browser.

As Invincea is reporting, the attackers involved in this campaign managed to evade detection by various antivirus engines by using a novel malware assembly technique called just-in-time (JIT) malware assembly.

Multi-stage malware assembly is becoming more popular with hackers
The technique was previously analyzed and described by both Invincea and ESET security researchers. As Invincea security experts are reporting, the Tinba banking trojan was using multiple stages and various Windows scripting utilities to assemble itself, allowing it to pass undetected by regular anti-virus engine scans.

In the cases Malwarebytes is reporting on, the attackers used the Angler and the Neutrino exploit kits to infect their victims.

MP New Media, the advertising network on whose infrastructure the attack was being launched from, was notified and eventually removed the malicious ads.

Putting together the estimated total monthly visitors to each site, around 220 million users were exposed to the Kampagen malvertising campaign.
 
H

hjlbx

Attackers were using multi-stage malware assembly techniques to deliver their malware past antivirus engines
For the past week, German users visiting certain websites have been facing a barrage of malicious ads that have been leading them to Web pages infected with various types of rootkits, banking trojans, and clickfraud bots.

The campaign was observed by two security vendors, Invincea and Malwarebytes, and affected websites like T-Online.de, eBay.de, Deutschewelle.pw, Deutschlandauto.xyz, Arcor.de, Swp.de, fischkopf.de, and donaukurier.de.

Malwarebytes named this malvertising campaign "Kampagen," the German word for "campaign."

This is real challenge for security softs; security soft might or might not protect system.

For typical user to avoid malvertising, it is recommended to use light virtualization (sandbox) of most common internet-facing applications = browser, email client, etc. Anti-executable configuration would add additional protections.

Difficult security challenge...
 
Last edited by a moderator:
L

LabZero

This technique uses native Windows functions on affected systems to assemble the malicious payload.
A criminal must hijack a single endpoint to compromise an entire network.

But the zero-day exploit in this case are not necessary, it is sufficient to use a weakness of a Windows operating system, such as UAC not set to "Always notify me" as the default, to get privileged access to the computer and the network of the victim.
That's why it is very important to enable UAC.
It is not a new technique and how often are undervalued elementary safety rules.
 
  • Like
Reactions: frogboy

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Adblockers not a problem, as possible it reduce the possible risks and let your current tweak security software do the rest of the job.

In a standard you need to reduce those annoying pop ups and advertisement through browsing matters from the first place.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top