Security experts are warning of another large-scale malvertising campaign which could be exposing as many as 50 million global internet users to the Bunitu trojan.
The new campaign spotted by Raytheon-owned Websense involves code which leads to the popular Angler exploit kit. In the attack , once advertising platform scripts are compromised and injected with code, they can reach millions of end-users across multiple popular sites.
“The injected code is not always sent when the script is requested, making it difficult to detect with automated analysis tools,” wrote Websense in a blog post. “In addition, Angler Exploit Kit will only serve up the malicious exploit code once per IP in a 24-hour period or so.”
Some of the websites hit by compromised scripts in this way apparently include RTL, CNN Indonesia and the Bejewled Blitz game on Facebook. Websense estimates the affected sites get at least 50 million visitors each month.
The Angler Exploit Kit then exploits a new Adobe Flash Player vulnerability (CVE-2015-3090), dropping the trojan Bunitu onto victims’ PCs.
The malware effectively turns an affected machine into a zombie computer, so it can be used for future malicious activity.
The malware sends regular ‘heartbeats’ back to the C&C so that its attackers know which machines are active and infected, Websense said.
“Advertising networks are an increasingly popular focus for cyber-criminals, as they open up avenues to infect millions of users with minimal effort,” said Carl Leonard, principal security analyst at Raytheon Websense.
“The growing nature of evasion, stealth and variation employed in the malicious code means that it's more important now than ever to deploy a security solution capable of stopping threats at multiple points in the kill chain.”
These seven stages, as defined by Websense, are recon, lure, redirect, exploit kit, dropper file, call home, and data theft.