Malware Campaign Tricked Networks Since 2015

About AdGholas 

According to IT News, there has been a long-running malvertising campaign – known as AdGholas – that infected thousands of computer each day. This resulted in between 1 million and 5 million page hits from malicious advertisements in over 100 ad exchanges. It is estimated that AdGholas current configuration has been running since summer of 2015, but evidence suggests that a separate configuration may have been running since 2013. Once the network of OS  was infected, the web-based attacker attempted to exploit vulnerabilities in popular applications and install malware.

Why Did It Last So Long?

The techniques that allowed AdGholas to operate for such a long time were the millions of high-quality traffic each day, stealthy innovation, sophisticated filtering, and closely mimicking the appearance of legitimate sites through redirects. The code specifically avoided security researchers and ad networks, which is why is went undetected for so long. In addition to this, the program filtered victims based on geolocation. Online banking trojan horses were delivered only to specific regions. It is suspected that a virtual gang of cyber criminals paid AdGholas to distribute their software. To make matters more confusing and difficult, AdGholas used steganography – hiding JavaScript inside images. The code was only extracted if the infected computers passed the required checks. According to Proofpoint, the company that discovered the threat, stated that this was the first time malicious attackers used steganography. AdGholas was suspended on July 20th 2016. According to the article from Proofpoint,

“Our analysis with colleagues from Trend Micro found that AdGholas campaigns do not all work the same way, but all do have the same multi-layered filtering and obfuscation. For instance, the redirect tag is being sent in several ways. We saw the xhr-sid sent as response header to a POST to GIF, but it is sometimes hidden at the end of an “addStats” hash in the initial landing”