AdGholas leverages Astrum EK in latest malvertising campaign

Fake websites look almost identical to the real thing, going so far as to clone genuine adverts

While the world has been distracted by the ongoing drama surrounding the NotPetya ransomware, other cyber attacks have passed largely unnoticed. As reported by a Malwarebytes blog post, one of these is malvertising group AdGholas - first picked up by ProofPoint in 2016.

Malvertising, as the name suggests, is malware hidden in adverts. It doesn't always require interaction to run, and some can even bypass ad blockers. AdGholas, says Malwarebytes, is ‘playing whack-a-mole with the ad industry' to distribute malware using the Astrum exploit kit. Although banking Trojans were being used by Astrum for a long time, new AdGholas/Astrum infection chains have been installing malware.

Malwarebytes saw a wave of drive-by download attacks distributed worldwide on the 28^th June, pushing the Astrum kit. The firm found that these attacks were associated with AdGholas via a dummy website (expert-essays[dot]com). Fake banners for ‘expert essays' were designed to trick advertising agencies, and hid code to exploit users who simply visited the websites that the banners were hosted on.

The decoy site was designed to look almost identical to the existing (and legitimate) essayoneday.com. The differences are difficult to spot in an industry like advertising, which is ruled by automation and volume.

The group was caught in this incarnation, but returned on the 1^st and 2^nd July with jet-travels[dot]com, using a similar set-up.

AdGholas goes to great lengths to hide its presence, often operating right under the noses of major ad networks. For example, it cloaks its redirect to the Astrum EK. These moves ensure that its sites remain operational for as long as possible. In a like manner, the group behind Astrum use techniques such as domain shadowing and SSL, which make traffic collection and replay difficult.

Malvertising continues to be a widespread infection vector, which cannot be entirely negated by ad blockers. Up-to-date software - i.e. regularly patching machines - is the best defence against these attacks.