At the end of April this year, we found Astrum exploit kit employing Diffie-Hellman key exchange to prevent monitoring tools and researchers from replaying their traffic. As AdGholas started to push the exploit, we saw another evolution: Astrum using HTTPS to further obscure their malicious traffic. We spotted a new AdGholas malvertising campaign using the…
Read More
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit.
Read More
Microsoft’s Patch Tuesday for October fixed another previous zero-day vulnerability in Internet Explorer (IE) via MS16-118 and MS16-126: CVE-2016-3298. Before the lid was put on it, the security flaw was employed alongside CVE-2016-3351 by operators of the AdGholas malvertising campaign, analysis and disclosure of which were made with our collaboration with Proofpoint’s @kafeine last July 2016. The campaign was notable for the economies of scale and scope it achieved in its heyday until its operations were stymied. As shared by @kafeine, it was even integrated in Neutrino exploit kit’s malvertising chain as a malicious JavaScript.
Exploiting CVE-2016-3298 enables attackers to check for specific antivirus (AV) software installed in the system in order to avoid AV detection and threat research/analysis. This sounds innocuous, but determining if the system is unsecure eases—and even automates—the undertaking of sneaking malware into it.
Read More In July 2016, we worked with @kafeine of Proofpoint to help bring down the AdGholas malvertising campaign. This campaign started operating in 2015, which affected a million users per day during its peak before it was shut down earlier this year. It used the Angler and Neutrino exploit kits to attack victims. It also used steganography to hide malicious code within a picture.
In the process of working on this campaign, we found and analyzed an information disclosure vulnerability in both Internet Explorer and Microsoft Edge. We worked with Microsoft to address this flaw, named as CVE-2016-3351. Previously considered as a zero-day vulnerability, this issue was fixed in MS16-104 for Internet Explorer and MS16-105 for Edge, which was released though a patch earlier this week.
Read More