Malicious advertising campaigns, or malvertising, have been around for at least six years. Abusing legitimate ad delivery networks, however, continues to be one of the most effective ways for criminals to infect the computers of unsuspecting Internet users.
Malvertising is most efficient when crafted in such a way that requires no action from the user, like having to click on an ad or a link. Adobe Flash banners provide an opportunity to accomplish just this. By using ActionScript inherent to Flash, the attackers can embed malicious code directly into the ad banner. As the result, the browser automatically executes the code as soon as the ad is served to the user.
In this scenario, the malicious code exploits a known or 0-day vulnerability in the browser plugin loading the ad. Rather than parking such an exploit on a static webpage somewhere on the Internet and driving traffic to that domain (which will quickly become blacklisted), exploits embedded in ads are served directly to users via trusted channels.
The tactic allows the attackers to serve malicious ads across swaths of legitimate, and typically whitelisted in firewall rules, websites by abusing legitimate advertising networks and traffic brokers. To gain access to these networks, the criminals claim to represent legitimate clients, typically impersonating an advertising agency.
Given high payoffs and shortage of deployable solutions, products or services that facilitate malvertising are always in high demand on the cybercriminal marketplaces. Recently, a malicious Flash banner development service was launched on one of the cybercriminal marketplaces; as of this writing, it appears that the proprietor is unable to keep up with demand
The initial offering read as follows, translated from Russian:
I am offering my service of creating Flash banners that function in the allowScriptAccess=never mode!
The system is based on the modified and most relevant exploit of CVE-2015-5122, which works up to [Flash] version 18,0,0,203. The banner uses custom shell code, which provides the stable execution of its tasks in all Windows operating systems up to Windows 10.
You will receive a primitive script, used by the banner to get your configurations (enable cookies, set cookie lifetime, etc) and download your payload. Otherwise, the banner is completely clean.
The banner supports clickTAG as well as the pointer to your clickable link directly. For now, I’m joining it with a static or animated swf, but can join it with an image upon request.
The price is $150 per banner.
Another forum member expressed concern that the malicious code embedded into the banner will be quickly discovered by the ad network, which will put an end to the malvertising campaign and require the attacker to restart the approval process. Sensitive to market feedback, the developer quickly implemented the advice to serve the exploit from an external source:
Now the exploit is served from the admin panel when the flag “ENABLE_EXPLOIT” is set to “true.” Meaning, after your banner passes verification and approval with the broker, you can enable this variable, and the exploit will start getting served. The exploit itself is sent encrypted.
Products like the one above tailor to experienced providers of pay-per-install and blackhat SEO services. The ability to effectively deploy malicious ads is closely linked to the actor’s experience navigating the Internet advertising industry, a no small feat. So while crimeware like the Flash banner described above may be out of reach for most cyber-fraudsters, by all accounts the new product provides seasoned bot herders with a reliable revenue stream.