AdGholas Malvertising Campaign Targets Unsuspecting Web Users

Malwarebytes has discovered a large malvertising campaign that is using the Astrum exploit kit to spread malware to unsuspecting users as they browse the web.

The notorious AdGholas group is believed to be behind the campaign and is rather cleverly using the recent WannaCry and NotPetya ransomware hysteria as a diversion to help it operate under the radar.

Malwarebytes says the group has been “going to great lengths to be as stealthy as possible” and has successfully fooled advertising networks into displaying malicious ads.

Astrum exploit

“On June 28, we started seeing a new wave of drive-by download attacks distributed globally pushing the Astrum exploit kit,” writes Jérôme Segura, lead malware intelligence analyst at Malwarebytes.

“Sure enough, it was associated with AdGholas activity via a new decoy website. Behind the fake ad banners for ‘expert essays’ designed to trick ad agencies, laid code to exploit and infect users who simply happened to visit popular websites.”

The decoy site uses a certificate from the non-profit encryption service Let’s Encrypt and is an almost exact copy of a legitimate website.

Malwarebytes was able to identify the link between the AdGholas advertiser and the Astrum exploit kit in the form of a redirect that is designed to evade many of the security scanners used by the major ad networks.

This means many web users could have been presented with the malicious ads without knowing as they browsed their favourite sites.

“While not as sensational as the latest ransomware attacks, malvertising continues to affect users on a large scale and be a relied upon infection vector for threat actors. The recent and renewed activity from sosphisticated groups like AdGholas is something to watch for because that could mean some new developments with the exploit kit scene,” concluded Segura.

This campaign is another example why malvertising can’t be ignored in a landscape that has recently been dominated by high-profile ransomware attacks.

In December researchers at Proofpoint discovered a malvertising attack that was targeting home routers and just last month a global malvertising campaign was blamed for a cyber attack which hit University College London (UCL).

Quiz: The world of cyber security in 2017

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

DeepMind Co-Founder Suleyman Departs For Investment Firm

DeepMind co-founder Mustafa Suleyman leaves parent company Google for Silicon Valley venture capital firm after…

5 hours ago

US Legislation To Boost Chip Funding Set For House

US House of Representatives set to introduce bill on tech funding and domestic chip manufacturing,…

6 hours ago

Intel Says Ohio Site Could Become World’s Biggest Chip Plant

Intel chooses Ohio site for manufacturing investment that could grow to $100bn over ten years,…

6 hours ago

Digital Bank Chime Financial Plans Massive IPO

Chime Financial plans New York IPO worth up to $40bn after Covid-19 pandemic leads to…

7 hours ago

Twitter Shake-Up Sees Departure Of Top Security Staff

Twitter says head of security no longer at company and chief information security officer to…

7 hours ago

Google Asks Judge To Dismiss Most Of Texas Antitrust Case

Google asks federal judge to dismiss most counts of antitrust case filed by Texas and…

8 hours ago