BEDEP malware has recently gained notoriety in the threat landscape after it played a part in two different zero-day exploits affecting Adobe Flash in early 2015. Zero-day vulnerabilities introduces critical risks to users and enterprises as cybercriminals and threat actors can exploit them to launch attacks before a patch or security update can be released.
The first zero-day incident reported in 2015 used the Angler explot kit and leveraged malvertisements on legitimate websites as its delivery mechanism. The second zero-day exploit, which was discovered by Trend Micro researchers, also used the same exploitation method of using malvertisements, albeit leveraging the hosting site dailymotion.com.
Our findings and feedback from Kafeine proved that the Hanjuan exploit kit was used in this incident. It’s interesting to note how these exploits were spaced closely and used the same payload: both exploits lead to BEDEP, a malware family known for stealing information that it sends to its command-and-control (C&C) servers.
This technical paper tackles the routines and capabilities of BEDEP, as well as its impact to users and enterprises.
The impact of BEDEP
BEDEP is notorious for its advertising fraud routines. Typically, advertising platforms get infected with a malicious script in the background that loads without user interaction. It's done when a remote user supposedly uploads a service, but instead uploads a malicious advertisement made to look like a normal ad. It takes advantage of instances where ad platforms fail to check the legitimacy of the ads, which exposes its users to advertising fraud. Advertising fraud can also come in the form of click fraud that entices users to click on a particular link that promotes products that may not necessarily be delivered. Ultimately, simply clicking the links can generate profit for the bad guys.
Systems infected with BEDEP become part of a botnet, which can be used for other activities such as spamming and distributed of denial-of-service against enterprises and large organizations. Infected systems can then be used to distribute a malware payload that can infect more systems. Some of the notorious botnets include Asprox, Cutwail/Pushdo, and Andromeda among others.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.