The Ask Partner Network (APN) was compromised for the second time in two months, as crooks found a way to deliver malware to computers running the Ask.com Toolbar.
The first attack took place at the end of October and start of November 2016, and was detected by security researchers from Red Canary. The second took place in December, just after APN cleaned its network, and was picked up by Carbon Black security products.
Both incidents were similar, as attackers found a way to breach the APN network and hijack the Ask.com Toolbar update process, pointing users to a malicious file, which resulted in the installation of malware on affected computers.
For the first attack, crooks altered the Ask.com Toolbar update process to download and install a malicious update package which then used a PNG file to spawn a malicious process.
This somewhat non-standard behavior was picked up by Red Canary, who detected the attack and sounded the alarm but not before crooks compromised around ten victims.
APN intervened, cleaned their network and revoked the digital certificate (issued in their name), which crooks used to sign the malicious update package. APN then issued a new digital certificate to sign future updates.
Carbon Black researchers say attackers somehow got hold of this new digital certificate and used it to sign a second malicious update process.
A new attack was then launched on December 16, and crooks used the same mode of operation, by sending Ask.com Toolbar users a new malicious update. Once installed, this malicious update would download and install a remote access trojan (RAT) on the victim’s computer.
Based on the logs from one of the victim’s PCs, Carbon Black says attackers used this RAT to open a reverse command shell on the victim’s computer. All of this happened in 60 seconds after the delivery of the malicious update.
Because Ask.com Toolbar ran with system privileges, the attackers had no problem running any software and commands they liked.
For the next two hours, Carbon Black says attackers downloaded new tools on the victim’s computer. Attackers then used these tools to enumerate resources on the local network, dump credentials from the local system, move laterally to other systems using stolen credentials, and established persistence mechanisms for future access.
In this case, the victim was as guilty as the attackers, as they’ve configured their Carbon Black security platform only to “detect” and not “block” malicious actions.
The RAT used in this second attack was signed by the APN certificate issued after the first attack, which most likely means the attackers maintained a foothold on APN’s network after engineers cleaned servers after the first attack.
This time around, APN appears to have done a better job, as Carbon Black reported that no new, malicious activity was detected from APN's network in the past three months.