Eset's report on Stegano, a newly discovered exploit kit, reveals an insanely clever, paranoid, and devastatingly effective technique used by criminals to infect their victims' computers by hiding malicious code in plain sight on websites that accepted their innocuous-seeming banner ads.
This new program triggered a network request to a site controlled by the attackers, which repeatedly checked the target's computer to see if it was running inside a virtual machine (a telltale sign of a paranoid user, possibly a security researcher who would figure out what was going on) or whether it had any anti-virus software. Once it was satisfied that the target was not in a position to detect active attacks, it launched exploits targeted at Internet Explorer/Flash to hijack the machine and gather the user's keystrokes, with a special emphasis on bank-industry information.
The Stegano exploit kit has been trying to fly under the radar since at least 2014. Its authors have put quite some effort into implementing several techniques to achieve self-concealment. In one of the most recent campaigns we detected, which we traced back at least to the beginning of October 2016, they had been distributing the kit through advertisement banners using steganography and performing several checks to confirm that they were not being monitored.
In the event of successful exploitation, the vulnerable victims’ systems had been left exposed to further compromise by various malicious payloads including backdoors, spyware and banking Trojans.
Exploitation by the Stegano kit, or any other known exploit kit for that matter, can often be avoided by running fully patched software and by using a reliable, updated internet security solution.
Millions exposed to malvertising that hid attack code in banner pixels [Dan Goodin/Ars Technica]
New Stegano Exploit Kit Hides Malvertising Code in Image Pixels [Catalin Cimpanu/Bleeping Computer]