Malware Alert AdGholas malvertising campaign hid malicious code in images to avoid discovery

Captain Awesome

Level 23
May 7, 2016
In what researchers are calling a first, a massive malvertising campaign that infected thousands of people per day was relying on steganography – the art of hiding code in images – to conceal malware that was delivered to the victims in drive-by fashion.

Discovered in 2015 by Proofpoint, the campaign – dubbed AdGholas – was recruiting as many as one million client machines on a daily basis to conduct its operations until ceasing operations this month after the cybersecurity firm alerted affected advertising network operators.

Not all users who clicked on an AdGholas-delivered malicious ads were redirected to a malicious webpage and infected, according to a Proofpoint blog post. Indeed, AdGholas was cleverly designed to be highly discriminating, weeding out any machines on which it might be discovered, especially by a researcher, explained Patrick Wheeler, director of threat intelligence at ProofPoint, in an interview with

To go after the average, less tech-savvy user, the perpetrators behind AdGholas used highly sophisticated filtering technologies to either eliminate or select prospective victims based on language settings, time zones, and browser configuration. The filtering mechanisms also sought out machines that contained specific software or drivers typically associated with certain computer brands that the attackers wanted to specifically target.
Read more here:AdGholas malvertising campaign hid malicious code in images to avoid discovery