A malicious advertising (malvertising) network is distributing spyware, adware, and browser hijackers to both Macs and PCs, crafting a unique malware bundle for each machine it infects. The network, dubbed "Kyle and Stan" by Cisco's TALOS Security Research, is 700 domains strong, including the likes of amazon.com and youtube.com. "This by all means is most likely just the tip of the iceberg," researchers said in a blog post today.
- The world of online ads has only a few major players that are supplying ads to thousands of websites. If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.
"Kyle and Stan" is so named because the group dubbed hundreds of their subdomains "stan.mxp2099.com" and "kyle.mxp2038.com." Here's what happens when a user visits one of the malicious sites:
- The website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.
The malicious kit for Macs includes the legitimate application MPlayerX and the malicious browser hijackers Conduit and VSearch.
Because the malware package is unique to each infected machine, the checksum is different every time, which makes detection very difficult.
"All in all," say the researchers, "we are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified."