Malvertising & Drive-By Downloads
Malvertising & Drive-By Downloads refer to the delivery of malicious content through compromised or malicious online advertisements and websites..
Mappings
Summary
Malvertising & Drive-By Downloads refer to the delivery of malicious content through compromised or malicious online advertisements and websites. Victims may receive malware without knowingly downloading files, as exploitation occurs through browser interactions, redirect chains, or exploit kits. Within MalChain, this capability ends once a payload is delivered or execution becomes possible. Attackers abuse trust in:
- Legitimate advertising networks
- Popular websites
- Browser security assumptions
Victims often do not realize exposure has occurred, increasing dwell time. Common delivery mechanisms include:
- Malicious ad creatives
- Redirect chains
- Exploit kits
- Fake update prompts
- Browser plugin abuse
Real world usage includes:
- Banking Trojans
- Ransomware loaders
- Information stealers
- Cryptocurrency miners
Detection Guidance
Detection relies on browser telemetry, network traffic analysis, and correlation between web activity and subsequent file or script execution. Early detection significantly reduces downstream impact.
- Monitor browser redirect chains
- Detect anomalous JavaScript execution
- Identify unexpected file downloads
- Alert on fake update indicators
- Correlate web activity with execution events
KQL Detection Concepts
- Browser process initiating file downloads
- JavaScript execution followed by process creation
- Network connections to newly registered domains
YARA Detection Concepts
- Exploit kit fingerprints
- Obfuscated JavaScript loaders
- Suspicious redirect logic
KQL Detection Rule
// Malvertising / Drive-by: browser spawning script interpreters or writing executables
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe","iexplore.exe","brave.exe")
| where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountNameYARA Detection Rule
rule MC_ING_02_Malvertising_HTA_Dropper
{
meta:
author = "MalChain"
technique = "MC-ING-02 Malvertising & Drive-By Downloads"
description = "HTA/JS drive-by dropper invoking script hosts or downloads"
strings:
$hta = "<hta:application" ascii nocase
$ws = "WScript.Shell" ascii nocase
$ado = "ADODB.Stream" ascii nocase
$xhr = "MSXML2.XMLHTTP" ascii nocase
$ps = "powershell" ascii nocase
condition:
($hta or $ws) and 2 of ($ado,$xhr,$ps)
}Mitigation
- Use ad-blocking and script control
- Harden browser configurations
- Disable unnecessary plugins
- Enforce patch management
Incident Response
- Review browser history and cache
- Identify downloaded artifacts
- Isolate affected endpoints
- Hunt for follow-on execution
Chain Linking
- Script-Based Activation
- User-Executed Files
- DLL Side-Loading