Register now for better personalized quote!

Threat Spotlight: "Kyle and Stan" Malvertising Network 9 Times Larger Than Expected

Sep, 22, 2014 Hi-network.com

This post was authored by Armin Pelkmann.

On September 8th, Cisco's Talos Security Intelligence & Research Group unveiled the existence of the "Kyle and Stan" Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 70 other domains. As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers' network is 9 timeslarger than reported in our first blog. For more details, read the Kyle and Stan Blog.

The infographic below illustrates how much more of the malvertisement network was uncovered in comparison to our first assessment. We have now isolated 6491 domainssharing the same infrastructure. This is over9 times the previously mentioned703domains.  We have observed and analyzed31151 connectionsmade to these domains. This equalsover 3 timesthe amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.

The discovery difference from the previous blog to this one in raw numbers. With more than 3-times the now observed connections and over 9-times the revealed malicious domains, this malvertising network is of unusually massive proportions.

Identifying all domains used by the attacker's infrastructure helped us get a better view of the attack timeline. The first attempts to spread malware, spyware and adware are dating back to January 2012.

 

The domains of the typekyle.mxp677.comstan.mxp681.comand lpmxp47.com seem to have usually a relatively short lifespan until they get replaced. The attacker seems to use them for a short while, burn them and move on to the subsequent number. Domains like megashre.infoor file36.comseem to be used for a longer period and are still active.

Noteworthy is that the popular domain www.winrar.comis also part of  these attackers network. The website is build to fool visitors into believing they are installing the popular compression tool WinRar, but instead they are downloading malware. This website exhibits a significant traffic load and is a good example on how the attackers behind this network are trying to fool users into installing their malware.

 

 

 

We also found plenty of domains that use a default page like this:

The source of the websites contains a few Spanish words in the JavaScript.  Additionally a lot of the Whois records are pointing at services operated out of Spain.

While these indicators may not be entirely sufficient to determine the location of the masterminds behind this network, it is obvious that a part of the operation is run on servers hosted in Spain.

 

IOCs

Talos Security Intelligence & Research Group has uncovered huge parts of this malvertisement network. The list of domains broken down into different families:

  • 1836 Kyle and Stan subdomains File 1
  • 1895 mxp and lpmxp and other connected domains File 2
  • 2760 pages that are mostly fake download websites File 3

 

Conclusion

The "Kyle and Stan" network is a highly sophisticated Malvertising Network. It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users. The goal is to infect Windows and Mac users alike with spyware, adware, and browser hijackers. The malware droppers employ clever techniques and encryption to ensure unique checksums to avoid detection.

The latest discoveries of this very blog have proven that the network is far larger than originally reported. The count of websites connected to the attackers infrastructure is now up to 6491 and is growing daily. The fact that parts of this infrastructure date back to January 2012 is concerning, as it shows that the threat actors have been active for over 2 and a half years. We've continued to push additional protection into various Cisco security devices to mitigate this threat.

 

Protecting Users Against These Threats

Advanced Malware Protection (AMP) is well suited to detect and block this type of  malware.

CWS or WSA web scanning will prevent access to the websites of the "Kyle and Stan" network.

The Network Security protection of IPS and NGFW have up-to-date signatures and will block this threat.

ESA is not applicable for this attack, because the threat is not using email.


tag-icon Hot Tags : #Security Cisco Talos Cisco Security AMP CWS hacking esa adware kyle

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.