A new social engineering-based malvertising campaign targeting Japan has been found to deliver malicious ads that deploy a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts.

Malicious ads attack are not a new discovery, but over the past year, the malvertising case studies have become increasingly more complex. This particular campaign happened to use three different browser exploits in order to gain initial access to the victim’s computers and then deliver the actual malicious payload. One of those exploits was CVE-2016-0189, which was patched back in March by Microsoft.

The attack starts with an advertisement distributed through a legitimate ad network called PopAds that is served on a number of high-profile websites including The Verge, PC Gamer, and The New York Times. Attackers used this ad network to distribute advertisements for more than 500 domains belonging to companies such as Amazon, Facebook, and Google.

The ad network does not check if the advertisements are malicious, so attackers were able to make it hard for defenders to trace a connection between malicious advertisements and the actual origin of the attack. The advertisement itself has been set up in a way that it’s highly unlikely visitors will click on it, but after all, this is only one of many different parts of a well-planned attack. Sooner or later, an unsuspecting victim is going to come across the malicious ads and download the RIG exploit kit from RIG EK V3 server.

After downloading the RIG exploit kit, a number of exploits are applied to the machine. These browser exploits have been put in place here to get initial access to the victim’s machine, and then they will be redirected to a server hosting Magnitude and XLoader malware. At this point, the browser exploits have done their job by creating an initial access point for attackers, but if the victim is not tricked into executing a malicious file, nothing will happen.

Magnitude is one of those malicious files that will be downloaded after successful exploitation and it can compromise machines running Windows XP through Windows 10. The malware aims to steal information associated with cryptocurrency accounts like bitcoin wallets.

The malware will look for credentials stored on the hard drive of the machine, and it will then transfer them to a server running free web applications called Bitcoin miners. This type of mining is the main goal of Magnitude as it allows an attacker to make money by processing transactions on behalf of a cryptocurrency account.

Magnitude uses legitimate mining pools such as BTCGuild, F2Pool, and Multipool to process transactions on behalf of its victims. The malware appears to be adopted into existing mining pools where attackers are able to earn more money without any additional effort such as reviewing documentation or checking for updates in their servers.

The XLoader malware is also delivered through malvertising, and it’s a relatively new discovery. It has a modular structure that allows attackers to deploy new capabilities such as ransomware, backdoors, and other malicious modules.

Currently, the first module that attackers are able to utilize is the one that downloads another cryptocurrency mining application called JSEcoin. JSEcoin allows attackers to perform any kind of transaction on behalf of the victims and pay them in the form of cryptocurrency for their services.

JSEcoin works by creating a JavaScript library for developers that can be integrated into any website or web application. Once a site or web application is downloaded, the JavaScript library will be sent to JSEcoin for processing. JSEcoin will then download the cryptocurrency mining application and add it to its list of available applications.

The simplicity of JSEcoin’s system allows attackers to deploy it easily on websites and web applications without exposing themselves to potential consequences such as a ban from the hosting service provider. The easiest way for attackers to start making money by selling services for cryptocurrency is by running a mining pool that they control on websites and web applications. It’s not the first time we’ve seen this kind of attack with cryptocurrencies, but it’s difficult to believe that we haven’t seen more attacks like this in 2017.

Interested in learning about malicious programs? Malware Variations – Sophisticated in 2021 discusses the different variations of malware seen in 2021 and how it has gotten increasingly more complex.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, malicious ads

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.