YouTube Malvertising : Ads on YouTube leads users to Sweet Orange exploit kit

YouTube Ads lead to exploit kits, YouTube serving ‘malvertising’?

You may have heard of the term malvertising and threats posed by it. Malvertising is usually served by hackers using shady sites or hacking legitimate ones to spread malware payload.  Researchers at TrendMicro Labs have found out that even Google’s own YouTube is being used by hackers to show up such rogue ads.  This ads lead users to exploit kits which can steal their identity, personal information or banking details.

The blog report states that,

Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.

TrendMicro has been researching on malvertising trends for past few months and have come to this surprising conclusion. TrendMicro  goes on to state that neither Google and YouTube is serving the malicious ads, rather, the hackers seem to be operating from ad campaigns bought from legitimate advertisers. TrendMicros state,

The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

What is Malvertising

Here is a brief intro into the world of malvertising for your.  Malvertising involves injecting malicious or malware laden advertisements into legitimate online advertising networks and web pages. Online legitimate advertisements provide a solid platform for spreading malware to hackers and cyber criminals because of the significant effort is put into them in order to attract users and sell or advertise the product. Because advertising content can be inserted into high-profile and reputable websites and using legitimate advertising networks, it provides the hackers a excellent opportunity to inject/execute their malicious payload.

How was YouTube used?

Apparently the hackers took to YouTube because it belongs to the search giant Google and provides them with excellent opportunity to spread their malware.

In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. TrendMicro is unclear as to how the hackers achieved this.

TrendMicro found out that the malvertising traffic passed through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

TrendMicro noticed that exploit kit used in YouTube malvertising attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:

CVE-2013-2460 – Java
.CVE-2013-2551 – Internet Explorer
CVE-2014-0515 – Flash
CVE-2014-0322 – Internet Explorer

TrendMicro further found that that this particular version of Sweet Orange uses vulnerabilities in Microsoft’s Internet Explorer browser to spread its malware along with old versions fo Flash and Java. They also noticed that The URL of the actual payload constantly changes, but they all used the subdomains on the same Polish site mentioned above. Further the, the behavior of these payloads are identical.

TrendMicro found the following hashes as being as part of this attack:


The final payloads of this attack are variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible.

Microsoft on its part had already assessed the above said vulnerability in IE and released a patch to fix the same in May 2013. Those users who have updated IE, Java, and Adobe are safe from this attack. The older version you use the more susceptible you are to exploits as they are still being used by the cyber criminals.

TrendMicro has already notified Google and hopefully Google will take actions against the malvertisers soon.

Resource : TrendMicro Labs

Subscribe to our newsletter

To be updated with all the latest news


Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post