The group behind the campaign has gone to great lengths to slip under the radar
Malwarebytes has discovered a large malvertising campaign that is using the Astrum exploit kit to spread malware to unsuspecting users as they browse the web.
The notorious AdGholas group is believed to be behind the campaign and is rather cleverly using the recent WannaCry and NotPetya ransomware hysteria as a diversion to help it operate under the radar.
Malwarebytes says the group has been “going to great lengths to be as stealthy as possible” and has successfully fooled advertising networks into displaying malicious ads.
“On June 28, we started seeing a new wave of drive-by download attacks distributed globally pushing the Astrum exploit kit,” writes Jérôme Segura, lead malware intelligence analyst at Malwarebytes.
“Sure enough, it was associated with AdGholas activity via a new decoy website. Behind the fake ad banners for ‘expert essays’ designed to trick ad agencies, laid code to exploit and infect users who simply happened to visit popular websites.”
The decoy site uses a certificate from the non-profit encryption service Let’s Encrypt and is an almost exact copy of a legitimate website.
Malwarebytes was able to identify the link between the AdGholas advertiser and the Astrum exploit kit in the form of a redirect that is designed to evade many of the security scanners used by the major ad networks.
This means many web users could have been presented with the malicious ads without knowing as they browsed their favourite sites.
“While not as sensational as the latest ransomware attacks, malvertising continues to affect users on a large scale and be a relied upon infection vector for threat actors. The recent and renewed activity from sosphisticated groups like AdGholas is something to watch for because that could mean some new developments with the exploit kit scene,” concluded Segura.
This campaign is another example why malvertising can’t be ignored in a landscape that has recently been dominated by high-profile ransomware attacks.
In December researchers at Proofpoint discovered a malvertising attack that was targeting home routers and just last month a global malvertising campaign was blamed for a cyber attack which hit University College London (UCL).