A massive malvertising network has been infecting as many as one million computers per day with a variety of geo-focused banking trojans.
Named AdGholas, researchers say that it has been operating since 2015, infecting thousands of victims every day using a sophisticated combination of techniques that include filtering and steganography. It was receiving high-quality traffic from a variety of high rank referrers, from more than twenty different AdAgency/AdExchange platforms. The result was that AdGholas was clocking one to five million hits every day, and of these, 10-20% were redirected to an exploit kit.
Proofpoint uncovered the campaign, and alerted the involved ad networks. It found that the domains that were used were clones of real, legitimate sites belonging to Hotel Merovinjo in Paris, Ec-centre and Mamaniaca, and that its approach varied depending on user and geography.
“Our analysis with colleagues from Trend Micro found that AdGholas campaigns do not all work the same way, but all do have the same multi-layered filtering and obfuscation,” Proofpoint researchers said, in an analysis. “For instance, the redirect tag is being sent in several ways. We saw the xhr-sid sent as response header to a POST to GIF, but it is sometimes hidden at the end of an ‘addStat hash in the initial landing.”
The researchers said AdGholas went silent for two weeks after the Angler exploit kit disappearance, returning (with the same domains) at the end of June using the Neutrino EK.
The banking trojans being dropped on the compromised computers include Gozi ISFB, dropped in Canada, Terdot.A in Australia, Godzilla loaded Terdot.A in Great Britain, and Gootkit was dropped in Spain.
“The AdGholas threat actors employed a complex and powerful combination of techniques that enabled them to operate undetected for over a year,” Proofpoint researchers said. “This campaign represents the first documented use of steganography in a drive-by malware campaign, and attacks employed ‘informational disclosure’ bugs perceived to be low-risk in order to stay below the radar of vendors and researchers.”
They added, “Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, the example of AdGholas shows that it would be a mistake to assume this threat is diminishing. Instead, AdGholas demonstrates that malvertising campaigns continue to evolve and adopt increasingly sophisticated techniques that enable them to remain stealthy and effective even in the face of the latest defensive advances.”