Stegano Exploit Kit Hiding Within GIF-Based Browser Ads, Remained Largely Undetected for 2 Years: Report

The ads that appear on websites can sometimes prove to be intrusive to a user's experience, though most major ad networks alongside modern browsers protect users from ad-based attacks. However, if new report by Eset researchers is anything to go by, a certain type of malicious ad that can steal all of the victim's information has been flying under the radar for over two years now, and has been served on major networks for at least two months now.

Eset says Stegano Exploit Kit was targeting corporate sector and especially banking services for the last two years without being detected by the major networks. The two main culprit ads highlighted by Eset belong to "Broxu" screenshot app and ironically "Browser Defence." The long-discontinued but still in use Internet Explorer is said to be the only vulnerable browser. The exploit code is hidden within layers of the GIF-based ads, and has been avoiding detection by only activating after determining the victim's machine doesn't contain sandboxes environments usually used by security researchers.

Without even requiring user interaction, the first script sends the information regarding their machine to the remote attacker and "based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin," Eset reports. The infected version of the graphic comes with the script encoded in the alpha channel (or transparency) of the GIF image, and as there is only a minor modification, the infected graphic is almost identical to the original.

After the new ad is placed, it runs an environment check through a javascript to make sure it is not being monitored. Another script makes use of a known Internet Explorer vulnerability CVE-2016-0162 to scan, extract, and run the code. It even ensures that it is running on an actual PC.

"If no indication of monitoring is detected, it creates an iframe (just one pixel in size) at coordinates off the screen, sets its window.name property (this name will be used later) and redirects to TinyURL via https. TinyURL then redirects to an exploit landing page via http. The referrer to the original site is lost during this process," Eset said.

The landing page then checks for Internet Explorer and loads a Flash file that has another Flash file within it. Depending on the version of Flash that it finds, the latter can serve one of three exploits. In order to check, it gives the information back to the server, as a GIF file. The server then returns a code to indicate one of three Flash vulnerability exploits, along with the required password shell code that allows for downloading of the final payload.

After performing another check to ensure it is not being detected by a security analyst, the payload is downloaded and launched. The user can then be infected with a backdoor, keylogger, screenshot maker, and video maker, Engadget points out. At this point, user's entire machine is compromised. While the Stegano exploit kit has been around for a while, no succesful exploits have been detected yet.