Yahoo! Hit With Malvertising Campaign

This week we hear about YAHOO! being hit with a malvertising campaign, and the "Business Club" crime gang.

Breach

YAHOO! HIT WITH MALVERTISING CAMPAIGN

There are many techniques used by criminals to distribute malware—one of the most insidious is the use of malvertising. Using this method, criminals abuse the advertising distribution networks that serve advertisements on legitimate web pages by supplying malicious code in place of ads.

In a campaign discovered this week, the advertising network of Yahoo! was used to distribute Javascript code that redirected the browsers of unsuspecting visitors to websites serving malicious websites that host the Angler exploit kit.

Like most exploit kits, Angler consists of a number of vulnerability exploits and a malicious payload. The exploit kit scans visitor web browsers and associated third party plugins until it finds a suitable vulnerability. The kit executes the relevant exploit and delivers its payload to compromise the visitor’s machine without any interaction by the user, aside from a visit to an otherwise entirely legitimate website.

Abusing advertising networks allows attackers to place malicious ads with the same level of targeting as any other ads, selecting the demographics and locations of victims if required, or adopting a scattergun approach without targeting. Any content distribution system that allows attackers to spread malware to a large number of targets will be a tempting target for compromise. Organizations that provide such services should ensure that their systems are protected as much as possible against attack, and should continuously monitor these systems to ensure that any incursion is swiftly detected and remediated.

References: Malwarebytes Blog | ZDNet | Forbes

Mitigation Strategies:

Malware

“BUSINESS CLUB” CRIME GANG

Malware is controlled by threat actors whose motivations may evolve over time. The so-called “Business Club” cyber crime gang is believed to be an association of approximately 50 members, who are behind the GameOver Zeus botnet. A recent report shines a light on their activities and suggests why the gang might be able to operate without interference.

The gang and its botnet are linked to a number of corporate wire frauds. In these attacks, the malware is able to perform man-in-the-middle attacks by intercepting online banking credentials. The stolen credentials allow the criminals to make fraudulent fund transfers to a network of money mules, who ultimately send money to the gang after deducting their cut. Another revenue stream for the botnet is to distribute CryptoLocker ransomware, encrypting the hard drives of infected computers, blocking file access unless a sum is paid 

However, researchers who have compromised the botnet command and control network have observed the gang instructing the botnet to perform searches for information relating to Intelligence services in Georgia, Turkey, and Ukraine. This activity is unusual for a botnet solely concerned with criminal cyber crime, since it suggests that the botnet is being instructed to seek information that would be of use to a nation state rather than a criminal enterprise. The researchers speculate that the gang may be able to continue operations despite an indictment against the alleged ringleader, because members have obtained a level of state-sponsored protection.

Despite much cyber crime being purely motivated by criminal financial gain, once a machine is infected by malware, the controller of the malware is typically able to command the infected machine to execute any required instruction. A criminal may infect a machine with the intention of conducting a financially motivated crime, only to find that it is more beneficial to conduct espionage and steal confidential documents instead. The stolen data may be traded for a degree of protection from legal oversight, allowing the criminal to continue conducting profitable criminal activities.

References: Fox It | Krebs on Security

Mitigation Strategies:

  • Intrusion Detection System (IDS) signatures to detect the malware attempting specifically observed call back information
  • Netflow traffic may also reveal large data transfers and data leakage
  • Log management to detect external IP information from the attacker if logs are configured

Top 20 IP Addresses

106.39.95.195 45.58.124.18 – NEW
180.97.106.162 – NEW 198.57.247.224
180.97.106.37 – NEW 62.149.145.43 – NEW
180.97.106.161 – NEW 108.167.133.31
180.97.106.36 – NEW 113.204.53.134 – NEW
118.193.173.202 – NEW 61.186.245.211 – NEW
222.186.21.184 – NEW 198.57.247.208 – NEW
118.98.104.21 – NEW 89.187.145.236
82.221.128.206 188.143.234.125 – NEW
118.244.134.149 54.217.247.24 – NEW