AdGholas Malvertising Campaign Closes After Proofpoint Discovery

malware

AdGholas malvertising campaign closes after pulling in at least a million victim computers a day

A massive malvertising operation has closed down after security researchers Proofpoint discovered it utilised highly sophisticated techniques to remain undetected for over a year.

The malvertising campaign was called AdGholas and the researchers said that it pulled in as many as one million client machines per day, and that it had been in operation since 2015.

Sophisticated Campaign

Malvertising campaigns traditionally inject malicious or malware-laden advertisements into seemingly legitimate online adverts.

Proofpoint researchers revealed in a blog post that the AdGholas campaign utilised sophisticated techniques filtering and steganography to help it operate in the shadows for over a year.

But it now has been closed down, after Proofpoint teamed up with Trend Micro to work out the technique behind steganography. This is a method of hiding code inside images, and is thought to be the first time this technique has been used in a malvertising campaign.

“While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising,” warned Proofpoint in its blog.

Malware - Fotolia: skull button © alekup #34457353It seems that AdGholas initially opted not to use JavaScript when it was first detected last October, but rather its redirection was based on transmission of a cookie. It also used the domain of a a hotel (“Merovinjo”) in Paris, but after a little digging, the researchers discovered the site was a clone of the legitimate site.

The malvertising code essentially carried out checks on the visiting computer to make sure it was not a virtual machine (often used by security researchers when looking for malware). The code also carried out other checks included the use of geolocation, which allowed other cybercriminals to insert their own malware (typically banking Trojans for certain users in certain regions.)

The AdGholas malvertising code utilised steganography, with advertising images containing encrypted JavaScript code. If the victim’s PC passed all the above checks, then this hidden code would execute.

“The AdGholas threat actors employed a complex and powerful combination of techniques that enabled them to operate undetected for over a year,” wrote Proofpoint.

And it worked. Proofpoint said that the AdGholas network drew traffic of one to five million high quality client hits per day. They also said this network utilised sophisticated filtering, after they found that AdGholas had employed ‘smart,’ multi-step filtering techniques to more precisely target client systems, including avoiding non-OEM and non-Nvidia/ATI-powered systems.

It was also convincing, as redirected sites avoided suspicion aby closely mimicking the appearance of the legitimate site expected by the ad agencies.

“Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, the example of AdGholas shows that it would be a mistake to assume this threat is diminishing,” concluded Proofpoint. “Instead, AdGholas demonstrates that malvertising campaigns continue to evolve and adopt increasingly sophisticated techniques that enable them to remain stealthy and effective even in the face of the latest defensive advances.”

Ongoing Threat

Previous research from Malwarebytes found that the UK is the world’s third-largest target for malicious ad infections, behind only the US and Canada.

Earlier this year, F-Secure found a new malvertising campaign that was not only targeting web browsers, but also the popular Skype application.

Proofpoint previously discovered last December a malicious Twitter advert that could steal users Facebook credentials. It came in a promoted Twittercard with a fake video is posted on user’s Twitter feed.

Other malvertising attacks have previously affected users of dating websites, social networks and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash.

Are you a security pro? Try our quiz!