On Tuesday, Microsoft patched the vulnerabilities affecting its products. One of the internet explorer zero-day vulnerabilities was, identified as CVE-2016-3298, described as information disclosure issue which affected Internet Explorer in the wild. The internet explorer zero-day vulnerability targets the object handling of the web-browser in the memory and tests for the presence of data on disk by directing a targeted user into opening a specific website.
After the patch, the attackers found a way to avoid automated analysis systems and researchers to exploit the said vulnerability to exploit in malvertising campaigns, discovered by security firm “Proofpoint.”
The researchers at Proofpoint identified the exploit is now affecting the vulnerability into massive malvertising campaigns by AdGholas and GooNky, the two threat actors.
Experts at Proofpoint first spotted the malvertising campaign back in April, which was targeting users in France, they believe that it had been leveraged by AdGholas.
The group also exploited the patched internet explorer zero-day vulnerability CVE-2016-3351 which affected Microsoft Edge last month. Experts at Proofpoint believe that the flaw is being exploited since 2014. These two vulnerabilities allowed the cybercriminals in ensuring that the targeted systems don’t belong to the security researchers.
The attackers used MIME-type checks to look for file types usually used by security researchers that are associated with any program. They checked for the association of file extensions such as .pcap, .py and .saz with any application, which typically indicates the existence of analysis environment. The hackers also searched for common file types such as .doc, .mp4, .mkv to determine if the system is used by regular users.
In a blog post, Proofpoint explained that “Threat actors, particularly those in the AdGholas and GooNky groups, continue to look for new means to exploit browser flaws. More importantly, though, they are turning to flaws that allow them to focus on “high-quality users”, specifically consumers rather than researchers, vendors, and sandbox environments that could detect their operations. Information disclosure vulnerabilities like CVE-2016-3298 described here and the previously discussed CVE-2016-3351 allow actors to filter based on software and configurations typically associated with security research environments.”