AdGholas Malvertising Campaign Targets Unsuspecting Web Users

Malwarebytes has discovered a large malvertising campaign that is using the Astrum exploit kit to spread malware to unsuspecting users as they browse the web.

The notorious AdGholas group is believed to be behind the campaign and is rather cleverly using the recent WannaCry and NotPetya ransomware hysteria as a diversion to help it operate under the radar.

Malwarebytes says the group has been “going to great lengths to be as stealthy as possible” and has successfully fooled advertising networks into displaying malicious ads.

Astrum exploit

“On June 28, we started seeing a new wave of drive-by download attacks distributed globally pushing the Astrum exploit kit,” writes Jérôme Segura, lead malware intelligence analyst at Malwarebytes.

“Sure enough, it was associated with AdGholas activity via a new decoy website. Behind the fake ad banners for ‘expert essays’ designed to trick ad agencies, laid code to exploit and infect users who simply happened to visit popular websites.”

The decoy site uses a certificate from the non-profit encryption service Let’s Encrypt and is an almost exact copy of a legitimate website.

Malwarebytes was able to identify the link between the AdGholas advertiser and the Astrum exploit kit in the form of a redirect that is designed to evade many of the security scanners used by the major ad networks.

This means many web users could have been presented with the malicious ads without knowing as they browsed their favourite sites.

“While not as sensational as the latest ransomware attacks, malvertising continues to affect users on a large scale and be a relied upon infection vector for threat actors. The recent and renewed activity from sosphisticated groups like AdGholas is something to watch for because that could mean some new developments with the exploit kit scene,” concluded Segura.

This campaign is another example why malvertising can’t be ignored in a landscape that has recently been dominated by high-profile ransomware attacks.

In December researchers at Proofpoint discovered a malvertising attack that was targeting home routers and just last month a global malvertising campaign was blamed for a cyber attack which hit University College London (UCL).

Quiz: The world of cyber security in 2017

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

17 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

20 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

22 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

2 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

2 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

2 days ago