In wake of recent discovery, Baidu decides to disallow user-defined scripts and Flash content in its ads. A malvertising campaign has been ravaging Chinese users, employing the Baidu advertising platform, and abusing one of its ad APIs to push malware on the users’ computers.
The malicious campaign was first spotted in October 2015, but due to its highly sophisticated and multi-stage infection techniques, it was only understood and stopped in February 2016.
According to security researchers from FireEye, the attacker behind this campaign was using one of Baidu’s ad APIs to create malicious ads, which would later be displayed on legitimate websites.
Malicious content was (re)constructed on the client-side
The ad API allowed the crooks to embed a simple HTML redirector in the Baidu code responsible for loading the ads. This redirector would start a series of JS-based loops, which would load code after code, eventually landing a malicious iframe on the legitimate website.
A second iframe would be loaded later, and both would combine their own set of parameters that would be merged and form the URL where the actual malicious script resided. The malicious ad code would then instruct the user’s browser to download and automatically execute this script, which was a VBScript file.
In turn, this VBScript downloaded a trojan named Win32/Jongiti, which is a multi-purpose malware downloader that connected to a C&C server and downloaded other threats, based on the attacker’s instructions.
FireEye says that, while it monitored this campaign, it saw Jongiti download PUPs, keyloggers and pornographic content droppers.
As FireEye noted, the attack seems to be extremely effective against users running older IE versions, who are quite numerous in China. The attack doesn’t work on IE11, due to recent security measures added to the browser.
Baidu took security measures to prevent future attacks
After making their discovery, the security vendor contacted Baidu, who addressed the issue and even introduced some changes to its API service to prevent future abuses.
First of all, after March 31, Baidu will stop allowing users to upload custom scripts and Flash on its ad platform. This is a major move since this means that attackers wouldn’t be able to host malvertising content on Baidu’s platform and would need to find new techniques to exploit its service.
Secondly, Baidu has also made it mandatory for all new accounts to register using a phone number and domain name registration record. In China, these two have a real-name enforcement policy and will allow the company to track down attackers and hand them over to the police.