Stegano campaign exposed millions netizens via attack code in pixels of ads banners

Stegano campaign – Millions of people visiting major websites may have been infected with malicious code that was embedded in pixels of the ads banners.

A single pixel could be used to compromise your PC, millions of people visiting major websites over the past months may have been infected with malicious code that was embedded in pixels of the ads banners.

The malware researchers from security firm ESET dubbed this malvertising campaign ‘Stegano,’ despite it dates back to 2014, since October threat actors started using the technique via ads displayed on many high-reputable news sites. each with millions of daily visitors.

According to the company, millions of daily visitors may have been exposed to the Stegano campaign.

The experts discovered that Stegano hides portions of its malicious code in parameters controlling the transparency of pixels used to display banner ads, but the impact of the appearance of the images is almost imperceptible.

“The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel. Since the modification is minor, the final picture’s color tone is only slightly different to that of the clean version” reads the analysis published by the company-

The researchers discovered that the code first checks for the presence of a virtualized environment,sandboxing mechanisms, or security software, then redirects the victim’s browser to a site that hosts three exploits for Adobe Flash vulnerabilities. The script targets users who visited the news sites with Internet Explorer browsers, it leverages on the CVE-2016-0162 exploitation.

“We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals—the websites onto which they managed to get the malicious banners installed,” contines the analysis. “We have observed major domains, including news websites visited by millions of people every day, acting as ‘referrers’ hosting these advertisements. Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer. There is, however, a lot more to it than advertising.”

The exploit is used by crooks to a malicious code belonging to the families of malware known as Ursnif family (banking trojan and data stealer) and the popular Ramnit malware.

The infections were concentrated in Canada, the UK, Australia, Spain, and Italy because its users used to visit the websites affected by the malvertising campaign.

In order to avoid being victims of the Stegano kit, or any other known exploit kit in the threat landscape, netizens have to use up to date software and security solutions.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Stegano kit, malware)