For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites.

Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files.

In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads.

Crooks hid malicious code an a pixel's RGBA alpha-transparency value

The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites.

Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character.

Stegano formula
Formula used by the Stegano exploit kit to extract malicious code from images [Source: ESET]

Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo.

Only Internet Explorer users targeted

When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users.

This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers.

Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm.

Stegano exploit kit relies on Flash flaws to infect users

If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL.

The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.

Until now, the Stegano exploit kit has pushed the Ursnif and Ramnit banking trojans, but ESET says it would be incredibly easy for crooks to switch the final malware payload to something more dangerous, such as a ransomware family.

All of these operations described above are automated and usually take place in the span of one-two seconds. As such, the best way to protect against malvertising campaigns is to always make sure you're running up to date software, and use some sort of security product that can pick up these threats before they do any damage.

ESET has declined to name the sites where the malvertising campaign was active, but said that these sites attract millions of users per day and that the malicious ads were for products named "Browser Defence" and "Broxu."

Below is an ESET infographic that details Stegano's exploit chain.

Stegano exploit kit chain