Now that Microsoft has started blocking macros in Office documents delivered via the Internet, distributing malware via email has become more difficult and hackers have been forced to change their tactics, techniques, and procedures. This has been seen in phishing attempts that use a broader range of file types, and malware is increasingly being delivered via malicious websites, with traffic sent to those websites using malvertsing.
Malvertising is the term given to the use of malicious adverts to send visitors to websites hosting phishing kits, malware, or web pages that are used for a range of scams. The malicious adverts are added to advertising networks such as Google Ads and drive traffic to the malicious sites. With Google Ads, these malicious adverts are displayed at the top of the page for key search terms, and often masquerade as adverts for legitimate software, such as the free-to-use open-source 3D computer graphics software, Blender.
Many websites boost revenues by including third party ad blocks on their websites, with those adverts delivered through legitimate advertising networks. Typically, these have been the option of choice for malvertising due to the extent of the checks conducted by Google and the speed at which Google identifies and removes malicious ads. The malicious websites to which these adverts direct can perform drive-by malware downloads, probe for and exploit vulnerabilities in web browsers, or simply trick users into downloading and installing malicious files.
There is growing evidence that hackers are turning to malvertising for distributing malware, with one of the latest campaigns identified by researchers at SentinelOne. They identified a campaign that distributes .NET malware loaders, which in turn are being used to install FormBook malware variants – Information stealers capable of stealing data from infected systems, including credentials from web browsers, screenshots, and logging keystrokes to obtain passwords.
The developers of FormBook malware make it cheap and easy for threat actors to use their malware, providing it to subscribers under the malware-as-a-service model. Since 2016 when the malware first appeared, it has primarily been delivered via phishing emails containing Office files with malicious macros. Now that macros are being blocked by default, other methods of delivery need to be used. In this campaign, a virtualized .NET malware loader dubbed MalVirt is used to obfuscate the implementation and execution, with the loaders used to deliver FormBook variants, including the latest XLoader variants. One of the benefits of this method of delivery, aside from getting around Microsoft’s macro protections, is the massive reach of these campaigns, allowing far more individuals to be attacked than is possible using phishing emails.
How to Protect Against Malvertising
There are several ways that businesses can protect against malvertising, the easiest of which is to install antivirus software on all endpoints; however, the speed at which new malware variants are being developed is reducing the effectiveness of signature-based detection mechanisms. Antivirus software requires the signatures of malware to be added to malware definition lists before the malware can be detected and blocked. It is increasingly common for new malware variants to be used and then dropped by the time the signatures are added to antivirus software.
It is important to keep web browsers up to date to ensure that vulnerabilities cannot be exploited, and ad blockers can be used to prevent the adverts from being displayed, although many websites now require visitors to enable adverts to be displayed, since they are a vital source of revenue for website owners.