A new malware campaign was launched at the end of 2014, which is spread through the AOL Ad Network. The malware is delivered to the visitors of different websites, where two of them are owned by Huffington Post. The various HTTPS redirects are making the analysis even more difficult. The malicious activity was spotted for the first time on the last day of December at the Canadian edition of Huffington Post. On the third day of the new year this type of activity was also noticed on the website huffingtonpost.com.
Affection on numerous websites
The Cyphort security researchers had traced the cause of this malicious activity back to the websites from the AOL ad network. They found the malware at the landing page, which served a web-based attack tool that included a VB script and a Flash exploit. The result from the malware attack was the download of the Kovter Trojan.
Besides the two websites of Huffington Post, the other websites that suffered from the malvertising campaign are Houston Press, LA Weekly, Weather Bug and Soap Central. They all served the rougue advertisement to the visitors of their websites.
The AOL malware criminals rely on the redirections made by HTTP and HTTPS, in order to mask the servers which participate in the attack and thus the analysis get even more difficult to be made. According to the malware researchers from Cyphort, the cybercriminals responsible for the attack have access to numerous Polish domains, done either by compromising existing online locations or by registering these domains.
The malware specialists further stated that the two advertising networks owned by AOL – adtech.de and advertising.com were used for the distribution of the malicious ad.
IE 6 TO 10 vulnerable to the attack
AOL is aware of the malware attack and its team of security experts is already taking measures. Currently, the attack has been stopped. According to the malware experts from Cyphort, Neutrino is the name of the exploit kit used by the cybercriminals, though certain similarities were also spotted with Sweet Orange.
The malware researchers say that the infection has started with JavaScript that decrypts a file in HTML and a VB script. The HTML uses an older version of Internet Explorer (6 to 10) with vulnerability known as CVE-2013-2551. The vulnerability is then loaded as iframe, while at the same time the script VB downloads as Kovter Trojan through the flaw CVE-2014-6332, which then affects the unpatched versions of Windows using Server 2003.
Old method, new tricks
The malware experts state that the introduction of bad ads is the normal network stream is an old method, yet the cybercriminals are now applying new tricks to deceive the analysis algorithms. Among them is the delay in the spread of the malicious campaign or the fact that the malware is only send to certain visitors that meet the criteria – users of a certain web browser or situated in a specific location.