A malvertising campaign dubbed AdGholas has been found to have targeted one million victims, successfully infecting thousands, everyday. The campaign was active for a year before being shut down by security researchers. Cybercriminals used a complex combination of "sophisticated filtering and steganography" to evade detection and reach as many targets as possible.

A collaborative effort by security researchers from Proofpoint and Trend Micro revealed that the malvertising campaign has been active since October 2015. The two firms also uncovered that while not all AdGholas campaigns worked in the same way, they, however, shared the same "multi-layered filtering and obfuscation" in efforts to evade detection.

Proofpoint said in its blog: "Malvertising, the practice of embedding malware and links to compromised websites in online ads, is one of the biggest drivers of traffic to exploit kits. Large black-market ecosystems support the practice.

"Combining intel we gathered with telemetry data from Trend Micro, we were able to get a very clear idea of the scale of these campaigns. Before AdGholas suspended operation, we witnessed geo-focused banking Trojans being dropped on the compromised computers upon successful infection. For example, Gozi ISFB was dropped in Canada, Terdot.A (aka DELoader) [11] in Australia, Godzilla loaded Terdot.A in Great Britain, and Gootkit was dropped in Spain. It seems that there are four different Neutrino threads, as Neutrino is not including an internal TDS while Blackhole, Angler and Nuclear were."

How the campaign worked

The malvetising campaign made use of the networks of over 20 different ad agencies. AdGholas also determined victims' time zones, PC language settings and more when targeting attacks. Additionally, the cybercriminals behind the campaign specifically and carefully designed clones of legitimate websites, which hosted the malware, in efforts to trick users into clicking on the ads.

On the down low

AdGholas is, according to Proofpoint researchers, the first instance of cybercriminals using steganography in a "dive-by" malware campaign, to evade detection. The campaign also made use of "informational bugs", which are generally considered to be low risk and therefore are not picked up by security software and/or researchers. What is more, by accurately cloning legitimate websites, the campaign also effectively avoids instilling suspicion among its victims, after having redirected them to a malicious site.

Proofpoint concluded, "Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, the example of AdGholas shows that it would be a mistake to assume this threat is diminishing. Instead, AdGholas demonstrates that malvertising campaigns continue to evolve and adopt increasingly sophisticated techniques that enable them to remain stealthy and effective even in the face of the latest defensive advances."