Malvertising Network AdGholas Discovered Operating Since 2015

Following the report from Proofpoint announcing their discovery and analysis of massive malvertising network AdGholas, operating since 2015 (which was pulling in as many as 1 million client machines per day), Thomas Pore Director of IT at Plixer commented below on why advertising is an ‘excellent’ method for hackers, how it worked and what users can do to avoid it.

Thomas Pore, Director of IT at Plixer:

Thomas Pore“The detection and analysis of AdGholas shows how creative, resilient, and money hungry cyber criminals are. Advertising is an excellent way to get content in front of a large audience quickly and by using advertising to redirect to a malicious site, users do not need to click anything.

“While steganography has been used in other malware campaigns, this is the first documented case of its use in a drive-by campaign with advertising. By hiding encrypted iframe redirect JavaScript inside an image and using a process to decrypt and exploit demonstrates that regardless of your security layers, cyber criminals have the advantage of innovation to target users.

“The process at which AdGholas was implemented, while detected, continued for so long because of how redirection was being executed. It’s hard to stop something if you don’t know how it works. After months of tracking and investigation it was determined that the process was executed using steganography. Once the use of steganography was detected, the campaign was stopped. I don’t suspect it will be too long before another innovative process is used.

“Users need to remember, that even though a redirect was occurring to a malicious site, exploit kits such as Angler and Neutrino were being used. These exploit kits take advantage of vulnerable software installed locally, such as Flash of Internet Explorer. The filter taking place in this campaign suggests that general PC users were the targets. Users can protect themselves by regularly performing security patching of installed software.”