Faceless hooded anonymous computer hacker with programming code from monitor

AdGholas malvertising: business as usual

The largest malvertising attacks are the ones you seldom hear about. A group identified as AdGholas by Proofpoint which has been involved in the stealthiest attacks we have seen in recent history, was caught again and exposed by Eset today. The last bit of activity from AdGholas after the Proofpoint exposé was July 20th of this year. However, according to our telemetry, less than two months later the group was back at it with some of the largest malvertising attacks we have ever documented.

This post intends to give additional background information on this campaign. For the technical details, please check out the great research done by our colleagues at ESET.

Quick overview

The rogue actors were once again using a façade to distribute malicious advertisements.  They created a website purporting to be a browser protection (for parental lock purposes) and also offered a Google Chrome extension that had made its way to the Chrome store. Under this disguise, they were pushing malicious code via SSL that included several layers of fingerprinting.

flow

When we looked at the fingerprinting events designed to evade security researchers and sandboxes, we immediately connected this attack to AdGholas thanks to the Yara signatures provided by Proofpoint.

procmon2

What followed the first level of fingerprinting checks was a redirection via SSL and the tinyURL service to what appeared to be a custom exploit kit with a landing page we had never seen before (click for larger view):

landing

Shortly after ESET published, we learned that this was the Astrum exploit kit. The ensuing Flash file (well encoded) appeared to once again perform some fingerprinting before delivering the final payload:

morefingerprinting

One might draw conclusions on why AdGholas was using Astrum EK instead of RIG EK or other popular ones. Perhaps the threat actors deem those exploit kits too weak in comparison to predecessors like Angler EK. It also makes a lot of sense to only use a special weapon like Astrum EK, for high impact attacks such as the ones AdGholas is after and stay away from run-of-the-mill EKs.

Timeline of events

timeline

The first record we have of browser-defence[.]com involved in a malvertising attack was on September 5th. At the time, this attack was propagated via the SmartyAds network:

b.admedia.com/banners/gbanner.php?d=1&aff=79154&size=300x250&subid=&pageUrl={redacted}  -> 88.214.235.32/?t=win&bwpr=0.45&uniq={redacted}-US_EAST&u=url   -> browser-defence.com/ads/f/ad.html

In October, there was the first instance of AdGholas going through Yahoo’s ad network to deliver their malicious ad. This one was delivered within the Yahoo mail interface (users checking their mail would be shown the rogue advert):

browser-defence.com/ads/a/index.html?w=180&h=150&clk=https://na.ads.yahoo.com/yax/clk?{redacted}

It was not until much later (11/27) that we were finally able to reproduce the malvertising chain from a genuine residential IP address with a machine clean of any monitoring tools, only capturing traffic transparently. Up until then, we only had very strong suspicions that something was going on, but without a network capture, we simply did not possess the ‘smoking gun’ required to make an affirmative claim. As soon as we had evidence of malfeasance (November 27th), we informed Yahoo of our discovery.

It was quite revealing that only a few days (11/30) after our report to Yahoo, we saw AdGholas switch to another domain on the very same server (broxu[.]com) being used with the exact same tricks.

adgholas_network

Large publishers such as the MSN network were once again serving malware:

broxu.com/conv/a/index.html?w=728&h=90&clk=http://pr.ybp.yahoo.com/cj/cd/AmJbSmT5UEb1XFLPHWgr56BReh_jW6fVSl3cTxkICbaKj7QtLn0olui0x2qFH34-l2OG515VIpsCcB1T51wcXFAt3gfsrHwe1LEHlMgLMAlfOQXFVW9K5PxNInuJTh9eVa3Nd4txx5M/rurl/&cbr=2730648907189493925  -> Referer: http://www.msn.com/en-ca/?cobrand=oem.msn.com&ocid=NAMDHP&pc=MANMJS

At the time of posting the campaign still continues, although the major ad networks have been informed and ‘should’ no longer be involved.

A geo-targeted campaign avoiding the US

The interesting aspect about this malvertising campaign is that the US was not one of the targets. Instead we saw Canada, the UK, Australia, Spain, Italy, and Switzerland as the most active geolocations. We observed most attacks happen in Canada and the UK as seen below on this heat map:

heatmap

Despite not targeting the US, the latest AdGholas campaign has once again reached epic proportions and unsuspecting users visiting top trusted portals like Yahoo or MSN (not to mention many top level publishers) were exposed to malvertising and malware if they were not protected.

Disclosure

We reported this attack and worked with other industry members to mitigate its effects. There is no doubt that the adversary is very advanced and has been clever to fly under the radar for long periods of time. However, with each exposure, we are learning more about their infrastructure and can in turn build ours to catch them again.

Malwarebytes users were protected ‘by default’ because AdGholas will not fire its exploit if it detects the presence of our software.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher