Security researchers from Carbon Black identified a new ongoing AdWare campaign that uses sophisticated obfuscation techniques based on the Operation Aurora attack.
Tha AdWare Campaign Is a Menace
Carbon Black experts have spotted a new AdWare campaign that spreads ransomware and uses tactics that are similar to the nation-state attack that became popular as Operation Aurora. The threat is comprised of well-known variants such as OpenCandy and Dealply along with trojanized Chromium instances (the open-source version of the Chrome web browser) and sophisticated evasion techniques. The stealth features allow the criminals to evade the sandboxing measures and other intrusion detection techniques using Binary Fragmentation. Upon infection the operators of the adware can bypass the existing security controls and install other payloads, potentially giving the hackers full remote control of the victim systems.
The experts believe that the campaign is used to introduce secondary payloads such as ransomware and other malware. The AdWare campaign sets up persistent attacks on the victim machines. Various customers of Carbon Black have reported that they were targeted with the Enigma ransomware. On compromised machines, the malicious code also dropped other dangerous payloads.
All system administrators to check suspicious machines for newly created tasks using the built-in Windows Task Manager to ensure that the hosts are clean of infection. A more detailed investigation is under way.