YouTube ads network serving Caphaw Banking Trojan

Pierluigi Paganini February 26, 2014

YouTube users were targeted by a classic drive-by download attack by exploiting client Java software vulnerabilities and serving Caphaw Banking Trojan.

What about using YouTube to spread malware? YouTube is a video-sharing website on which users can upload, view and share videos, it has great appeal to the users and represents one of the bastions of the Internet. The website was visited by more than one billion of unique visitors, one billion of potential victims in case of a malware-based attack.

Security experts at Bromium Labs discovered that YouTube advertising network has been abused by attackers to spread malicious code, in particular, they have discovered that YouTube In-Stream Ads were redirecting users to malicious websites. At time I’m writing it is still not clear the number of victims of the attack that abused of YouTube service.

Victims were hijacked to websites controlled by attackers that were hosting the Styx Exploit Kit and was exploiting Java client side vulnerabilities by drive-by-download attack. The experts revealed that the attack allowed the installation on victim’s PC of the Caphaw Banking Trojan. The attackers exploited the Java vulnerability (CVE-2013-2460) to infect victims, interesting to note that malware is able to detect the specific Java version installed on the user’s machine and based upon it is able to serve the suitable exploit.

“We noticed the malware tries to detect the version of Java installed and based on the version, it sends out different URLs to ensure that the exploit is compatible with the Java versions. This is a signature of the Styx Exploit kit.”

“We don’t yet know the exact bypass which the attackers used to evade Google’s internal advertisement security checks. Google has informed us that they’re conducting a full investigation of this abuse and will take appropriate measures.” researchers said.

Once again lack of efficient patch management is cause of serious problem, Oracle in fact has already patched the exploited Java vulnerability last year, but infected users haven’t updated their software.

youtube-adv-Caphaw Banking Trojan3

The attack scenario is composed of the following phases:
  • Step 1: User watches a YouTube video
  • Step 2: User sees a thumbnail of another video (*.JPG)
  • Step 3: User clicks on the thumbnail and watches the video. In the background the user gets redirected to a malicious ad served by Googleads (*.doubleclick.net)
  • Step 4: Malware redirects the user to ‘foulpapers.com’
  • Step 5: Foulpapers.com iframes the aecua.nl
  • Step 6: aecua.nl delivers the exploit (in our case it was Styx exploit kit)

YouTube Adv abuse

 

youtube-adv-Caphaw Banking Trojan2

The server used to spread the Caphaw Banking Malware is located in Europe and malware authors implemented  Generation Algorithm (DGA)  technique for communicating with Command and Control server (C&C). 
Domain generation algorithm (DGA) algorithms are used by many malware to periodically generate a large number of domain names where criminals host Command & Control servers.
“It uses a DGA (Domain Generation Algorithm) for CnC, we’re still digging into the various IP addresses leveraged.” reports the official post from Bromium Labs.

Google, which owns YouTube, has already taken down the malvertisment campaign and it is investigating on the attach to prevent future offensives.

Let’s remind that a similar attack was detected last month, in that case the attackers abused for Yahoo adv network.

Watering hole attacks are clearly getting popular by attackers. Recently, Yahoo mail users were attacked using similar vectors. Several high-profile websites have become victims of such attacks recently. From the attackers point of view, this is the easiest way to cause maximum damage – max ROI.”

Pierluigi Paganini

(Security Affairs –  YouTube, watering hole attack)



you might also like

leave a comment