Proofpoint and Trend Micro have discovered a large-scale 'malvertising' campaign, enacted by threat actors known as AdGholas.
AdGholas has extensively used steganography and malicious ads for 'high-quality impressions', which hit 1-5 million users per day and avoided detection by researchers.
One way that the malvertising avoided researchers was by using an information disclosure zero-day in Microsoft Edge and Internet Explorer. Researchers were using virtual machines and sandboxes.
Microsoft patched the CVE-2016-3351 vulnerability two days ago, however the bug has been known since 2015.
Proofpoint described the vulnerability as a MIME type check that could filter out specific shell extension associations, such as .py, .pcap and .saz. Occasionally it could use popular Word document and torrent files extensions such as .doc, .mkv, .torrent and .skype to trigger the next exploitation process.
The vulnerability allowed AdGholas avoid detection while running a long-running advertising campaign through non-critical bugs and low-level vulnerabilities that the companies can go unpatched for months, or even years.
"Threat actors have previously used techniques to more effectively target end-users, from emails oriented to a specific industry to active infiltration of single entities via APTs. But using an information disclosure zero-day specifically to evade vendors' and researchers' detection of malvertising and exploit kit activity suggests attackers are increasingly concerned about defenders' effectiveness," says Kevin Epstein, vice president of threat operations at Proofpoint.
The onus is as much on software vendors as threat actors, researchers and enterprises, Proofpoint says.
"It isn't just execution zero-days that matter. Threat actors are clearly realising value from even information disclosure and other deprecated vulnerabilities that vendors may be slower to fix, and users even slower to patch," Epstein continues.
Proofpoint strongly advises that software vendors keep releasing patch updates, while users and organisations need to 'rethink patching prioritisations'. The company says researchers also need to look to new places and methods for detecting malicious activity.
Read more about AdGholas and the CVE-2016-3351 vulnerability here.