The AdGholas malvertising network was using steganography, researchers reveal

Attacks leveraged advanced filtering techniques to target victims.

The AdGholas malvertising network was using steganography, researchers reveal

The AdGholas malvertising network is the first to incorporate steganography into a drive-by malware campaign, claims new research released by security firm Proofpoint.

Proofpoint researchers say that they first came across the malvertising campaign back in October 2015. Immediately, they knew something was different about the infection chain, as they explain in a blog post:

"When we replayed the infection chain captured through automated browsing, we noticed that redirection was based on transmission of a cookie ('utml'). Receipt of the cookie was conditioned by different language settings, time zone, and browser configuration (specifically, the absence of a Pragma-cache header, which is usually sent when Internet Explorer is using a proxy)."

Adgholas01

To better understand how the malvertising campaign worked, the researchers built a virtual machine with its own custom settings and put it through the campaign's series of tests.

In the first round of checks, if the campaign did not select a user as a target, the machine displayed clean JavaScript and a straightforward banner. But if they were chosen based upon their language settings, time zone, and browser configuration, the JavaScript included some malicious code, and a different banner loaded up.

Just how "different," you might ask? With the help of Trend Micro, Proofpoint's research team determined the campaign was using steganography to conceal code in a banner responsible for loading up a malicious iframe.

Adgholas07

The researchers also saw extensive use of filtering techniques in the second round of checks, including tactics which specifically looked out for software such as GeoEdge, Geosurf, and AdClarity ToolBar. The techniques also watched for Nvidia or ATI Drivers and OEMInfo/OEMLogo files, which would suggest users had a highly customized OEM version of Windows installed on their machines.

Through those checks, ProofPoint arrived at the final payloads of the campaign. Specifically, they found the malvertisers were leveraging the Angler exploit kit and later on the Neutrino exploit kit (which has been busy, as of late) to target users and infect them with a variety of malware.

In total, the crooks showed malicious ads on 113 domains, reports Softpedia, including The New York Times and The Verge. Those ads generated one to five million high quality client hits in traffic per day.

Adgholas16

ProofPoint's researchers agree that a campaign of AdGholas' magnitude and sophistication demonstrates how exploit kit-based malvertising is not going to disappear anytime soon:

"Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, the example of AdGholas shows that it would be a mistake to assume this threat is diminishing. Instead, AdGholas demonstrates that malvertising campaigns continue to evolve and adopt increasingly sophisticated techniques that enable them to remain stealthy and effective even in the face of the latest defensive advances."

However, the good news is that AdGholas itself has been disrupted:

"While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising."

To help protect against exploit kit attacks, users should update their systems regularly and install a security solution onto their computers.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

One Response

  1. rod

    August 2, 2016 at 10:39 am #

    you are usually very clear and didactic. I don't have a clue of what you are trying to explain this time.

Leave a Reply