- Jan 24, 2011
- 9,378
A malvertising campaign has been ravaging Chinese users, employing the Baidu advertising platform, and abusing one of its ad APIs to push malware on the users' computers.
The malicious campaign was first spotted in October 2015, but due to its highly sophisticated and multi-stage infection techniques, it was only understood and stopped in February 2016.
According to security researchers from FireEye, the attacker behind this campaign was using one of Baidu's ad APIs to create malicious ads, which would later be displayed on legitimate websites.
Malicious content was (re)constructed on the client-side
The ad API allowed the crooks to embed a simple HTML redirector in the Baidu code responsible for loading the ads. This redirector would start a series of JS-based loops, which would load code after code, eventually landing a malicious iframe on the legitimate website.
A second iframe would be loaded later, and both would combine their own set of parameters that would be merged and form the URL where the actual malicious script resided. The malicious ad code would then instruct the user's browser to download and automatically execute this script, which was a VBScript file.
In turn, this VBScript downloaded a trojan named Win32/Jongiti, which is a multi-purpose malware downloader that connected to a C&C server and downloaded other threats, based on the attacker's instructions.
FireEye says that, while it monitored this campaign, it saw Jongiti download PUPs, keyloggers and pornographic content droppers.
As FireEye noted, the attack seems to be extremely effective against users running older IE versions, who are quite numerous in China. The attack doesn't work on IE11, due to recent security measures added to the browser.
Read more: Sophisticated Malvertising Campaign Abusing Baidu API Goes On for Five Months
