AdGholas Malvertising Campaign Finally Spotted After One Year on the Loose

A huge malvertising campaign managed to infect millions of users before finally being spotted by Proofpoint and Trend Micro security researchers.

The campaign, called AdGholas, is supposed to have start operating in the summer of 2015, but some unconfirmed clues point that it might even date back to 2013.

While the researchers were investigating two other malvertisers in October last year, GooNky and VirtualDonna, they run across the malicious campaign. After a thorough analysis by both companies, they came to conclude that AdGholas was more creatively and masterly done and it was very difficult to detect.

The authors of AdGholas Malvertising campaign used 22 different ad networks to spread their ads on a huge number of legitimate sites. Using the traffic filtering controls provided by the advertising platforms the crooks segmentize their targets and show their ads only to the segment they were interested in.

And yet, this turned out to be not enough for the attackers. They decided to add homegrown fingerprinting scripts to filter the users who fall for the phony ads and were redirected to their domain. These additional scripts were able to disclose detailed information about the victim`s OS.

The particular segment the AdGholas developers were targeting included users who had Nvidia or ATI drivers installed. OEM logos on the victims` computers was also a must because it was a sign they were running a highly customized OEM version of Windows. Moreover, with the help of the AdGholas campaign the cybercriminals managed to leverage steganography for the first time to transfer malicious code embedded in malicious banner ads.

The campaign managed to avoid detection for so long owing to exactly these sophisticated techniques.

Furthermore, AdGholas didn’t just use one but a wide range of different pieces of malware. At the time researchers uncovered it, it was infecting users with the Angled exploit kit. Later, when the Angler close down, the malvertising campaign switched to the Neutrino exploit kit.

When a user reached a leveraged exploit kit webpage, they would be infected with multiple pieces of malware depending on the victims` current location. According to Proofpoint the exploit kits delivered Terdot.A (DELoader) in Australia, Gozi ISFB malware in Canada, Gootkit in Spain and Godzilla-loaded Terdot.A in Britain.

In June, Proofpoint and Trend Micro discovered all 22 leveraged network distributing the campaign. Immediate preventive actions were taken but AdGholas had already managed to abuse 113 legitimate websites for its propagation.

The 113 abused domains included popular big names such as The New York Times, The Verge, Le Figaro, PCMag, IBTimes, ArsTechnica, Telegraaf, La Gazetta dello Sport, Daily Mail, CBS Sports, Top Gear, Urban Dictionary, Playboy, and

Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, AdGholas shows that the threat is not diminishing,” – Proofpoint states – “Instead, AdGholas is a vivid reminder that attackers continue to evolve. Their increasingly sophisticated techniques enable them to remain stealthy and effective even in the face of the latest defensive advances.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.