Millions of internet users visiting popular news sites over the past few months may have been exposed to a malicious malvertising campaign. The cybercriminals behind the campaign are distributing malicious ads, which redirect users to the Stegano exploit kit.

Security researchers uncovered that the Stegano malvertising campaign, exploited several Flash vulnerabilities. The malicious ads came embedded with attack codes within individual image pixels. Stegano has been active since 2014, however, researchers noted a fresh campaign launched in October, which operates in an exceedingly stealthy manner to infect victims.

According to researchers, infected systems are left exposed to "further compromise" such as "backdoors, spyware and banking Trojans."

ESET security researchers said, "We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals – 'the websites onto which they managed to get the malicious banners installed. We have observed major domains, including news websites visited by millions of people every day, acting as "referrers" hosting these advertisements.

"Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer. There is, however, a lot more to it than advertising."

Stegano's history

Researchers noted that a previous strain of the Stegano exploit pack was "hiding in plain sight" since 2014. The first detected campaign was found to be targeting Dutch customers. However, the following year, the cybercrooks shifted geographical focus to targets in the Czech Republic. The current campaign was found targeting victims in Canada, Britain, Australia, Spain and Italy.

ESET researchers also noted that the authors of the Stegano exploit campaign have made several improvements to their attack tactics. "The Stegano exploit kit has been trying to fly under the radar since at least 2014. Its authors have put quite some effort into implementing several techniques to achieve self-concealment," researchers added.

How it works

Stegano conceals parts of its malicious code within individual pixels used to display banner ads. The code is capable of modifying the tone or colour of images. However, the modifications are so subtle as to be nearly undetectable to the untrained eye.

The campaign has also been designed to send victim's machine data to the attackers' remote servers, which then analyses the system to determine if the victim should be "served either a clean image or its almost imperceptibly modified malicious evil twin.

Researchers noted that the "paranoid" cybercriminals behind the campaign had also added additional security checks, to ensure that infected systems are not monitored. Vulnerable systems would then be redirected to the exploit kit, which in turn would download either the Ursnif or the Ramnit malware. Both malware strains share similar abilities including, stealing email credentials, keystroke logging, posing as backdoors and taking screenshots and videos. However, the Ramnit malware primarily targets the banking and financial industry.

According to further analysis of the campaign by Malwarebytes, the attack "reached epic proportions" and targeted "unsuspecting users visiting top trusted portals like Yahoo or MSN" as well as various "top level publishers."