Infection Campaign Illustrates Cyber-criminals’ Adaptive Use of Ad Networks
and “Just-in-Time” Malware Assembly to Selectively Target Users and Evade Traditional Security Defenses
Fairfax, VA – October 22, 2015 – Invincea, the leader in advanced endpoint threat protection, is alerting enterprises and individuals about an advanced malvertising attack employing malicious Web advertisements on the homepage of T-Online, Germany’s largest broadband provider.
For much of the past week, visitors to T-Online’s site were hit with ads dropping sophisticated rootkit / banking Trojan and click-fraud malware in intricate attacks designed to steal financial information, gain persistent footholds on victim PCs and hijack them for additional fraudulent activity.
The cyber criminals utilizing T-Online’s site in their attack configured their malicious ads to employ just-in-time (JIT) malware assembly on victim machines and incorporated Windows utility-based scripting in order to evade traditional endpoint and network defenses. Only endpoint devices running secure virtual container and behavioral detection defenses are able to reliably defeat these types of attacks on end users.
During October 16 through October 20, 2015, the homepage of T-Online (www.t-online.de), Germany’s largest broadband provider and part of Deutsche Telekom, was observed by Invincea delivering malvertising Trojans when users logged out of their webmail accounts. It is likely that thousands of T-Online users have been impacted by this malvertising campaign. The ISP’s site is ranked the tenth most popular website in Germany, and 296th worldwide according to Alexa, making it the type of high-traffic domain coveted by malvertising actors.
The Trojans are related to Tinba, the “Tiny Banking” Trojan and rootkit family, which persists on the host and captures online banking credentials. In addition to banking Trojans, Bedep click-fraud bots were also delivered, which would turn an endpoint into a “zombie host” that would secretly click advertisements in an invisible browser, in order to generate fraudulent advertising revenue.
Specific attack details can be seen at:
Invincea captured numerous log files containing forensic information on the malvertising attacks, which were likely perpetrated by third parties without T-Online’s knowledge. The following examples show a set of Bedep malware attacks originating from the webmail logout page of T-Online.de. These attacks were detected and blocked by Invincea Advanced Endpoint Protection, preventing compromise of the users’ machines. In each case, the attack exploited a Flash vulnerability and then pivoted to use the native Windows utility cmd.exe. The attack employed sophisticated techniques including just-in-time (JIT) malware assembly and Windows utility-based scripting to evade network and endpoint defenses other than Invincea.
In the following attack timeline, a filename beginning with “rad” followed by a hexadecimal random character string is ultimately created on the endpoint. Invincea’s secure virtual container and behavioral detection capabilities detected and blocked the attack in real time, removing the malware and preventing it from accomplishing its objectives.
Log file showing an example of the Bedep malware created using just-in-time malware assembly
At least one sample of this click-fraud malware was submitted to VirusTotal, as shown here.
The exploit kits used for these attacks used many domain names, but these domains pointed to a common set of IP addresses. Using passive DNS lookups, one can see the domain names associated with the IP addresses used in the T-Online malvertising attacks. Examples of the DNS logs are provided at this location and this location.
The Tinba rootkit attacks employed a Flash exploit, followed by the installation of the malware directly onto target endpoints. A log file showing a Tinba attack from the T-Online malvertising is shown below. As in the previous case, Invincea’s secure virtual container and behavioral detection capabilities detected and blocked the attack in real time, removing the malware and preventing it from accomplishing its objectives.
Log file showing an example of the Tinba malware dropped and launched following a Flash exploit
According to VirusTotal, this malware beacons to several .ru and .su domain names:
About Real-Time Ad Bidding
Online ads are auctioned and sold via Real-Time Ad Bidding in “impression packs” of 1,000 page views. Invincea detected and stopped five attacks targeting our customers’ endpoints over a five-day period, representing a possible pool of 5,000 compromised systems. However, it can be presumed there were many more attacks that affected endpoints not protected by Invincea, which could dramatically increase the number of victims.
T-Online was likely not aware that its website was being abused by malvertisers via third-party ad networks. Any visitors to the popular site from October 16 through October 20, 2015 are advised to check their systems for possible compromise.
About Invincea, Inc.
Invincea is the leader in advanced endpoint threat protection for enterprises worldwide. The company provides the most comprehensive solution to contain, identify, and control the advanced attacks that evade legacy security controls. Invincea protects enterprises against targeted threats including spear-phishing and Web drive-by attacks that exploit Java, Flash, and other applications. Combining the visibility and control of an endpoint solution with the intelligence of cloud analysis, Invincea provides the only market-deployed solution that defends against 0-day exploits, file-less malware, and previously unknown malware. The company is venture capital-backed and based in Fairfax, VA. For more information, visit www.invincea.com.