AdGholas Malvertising Campaign Targets Unsuspecting Web Users

Malwarebytes has discovered a large malvertising campaign that is using the Astrum exploit kit to spread malware to unsuspecting users as they browse the web.

The notorious AdGholas group is believed to be behind the campaign and is rather cleverly using the recent WannaCry and NotPetya ransomware hysteria as a diversion to help it operate under the radar.

Malwarebytes says the group has been “going to great lengths to be as stealthy as possible” and has successfully fooled advertising networks into displaying malicious ads.

Astrum exploit

“On June 28, we started seeing a new wave of drive-by download attacks distributed globally pushing the Astrum exploit kit,” writes Jérôme Segura, lead malware intelligence analyst at Malwarebytes.

“Sure enough, it was associated with AdGholas activity via a new decoy website. Behind the fake ad banners for ‘expert essays’ designed to trick ad agencies, laid code to exploit and infect users who simply happened to visit popular websites.”

The decoy site uses a certificate from the non-profit encryption service Let’s Encrypt and is an almost exact copy of a legitimate website.

Malwarebytes was able to identify the link between the AdGholas advertiser and the Astrum exploit kit in the form of a redirect that is designed to evade many of the security scanners used by the major ad networks.

This means many web users could have been presented with the malicious ads without knowing as they browsed their favourite sites.

“While not as sensational as the latest ransomware attacks, malvertising continues to affect users on a large scale and be a relied upon infection vector for threat actors. The recent and renewed activity from sosphisticated groups like AdGholas is something to watch for because that could mean some new developments with the exploit kit scene,” concluded Segura.

This campaign is another example why malvertising can’t be ignored in a landscape that has recently been dominated by high-profile ransomware attacks.

In December researchers at Proofpoint discovered a malvertising attack that was targeting home routers and just last month a global malvertising campaign was blamed for a cyber attack which hit University College London (UCL).

Quiz: The world of cyber security in 2017

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago