Community Manager
Staff member
Security researchers from Proofpoint and Trend Micro have uncovered a massive malvertising campaign that has been targeting over one million users per day, and infecting thousands, running since the summer of 2015, and with unconfirmed clues that might link it to as early as 2013.

Researchers first spotted the campaign last October, when they were investigating two other massive, and more easy to spot, malvertising campaigns codenamed GooNky and VirtualDonna.

According to subsequent research carried out by both companies, this campaign codenamed AdGholas, used innovative and sophisticated techniques to avoid detection.

AdGholas Malvertising campaign hit 22 ad networks
Crooks used 22 different ad networks to display their ads on a large number of legitimate sites.

They used the traffic filtering controls provided by the advertising platforms to show their malicious ads only to the audience they were interested in targeting.

However, the group wasn't satisfied and also used additional homegrown fingerprinting scripts to filter the users that clicked on the ads or were redirected to their own malicious domains.

These additional filters used several information disclosure bugs to leak details about the user's operating systems.

Crooks searching for users running OEM versions of Windows
The crooks were interested in users that had Nvidia or ATI drivers installed, and OEM logos on their PCs, as a sign that they were using a highly-customized OEM version of Windows.

Furthermore, this malvertising campaign marks the first time that crooks leveraged steganography to transmit malicious code embedded in malicious banner ads.

All of these advanced methods of filtering the ad traffic allowed the campaign to go unnoticed for almost an year.

Malvertising campaign infected users with multiple types of malware
During this time, researchers noticed the groups used the Angler exploit kit to infect users, and later the Neutrino exploit kit, after Angler shut down operations.

When a user would reach the exploit kit landing pages, users would be infected with a broad range of malware, usually different based on the user's location.

Proofpoint says that exploits kits delivered Gozi ISFB malware in Canada, Terdot.A (DELoader) in Australia, Godzilla-loaded Terdot.A in Great Britain, and Gootkit in Spain.

113 legitimate sites helped drive traffic to the crook's malicious servers
The two security firms notified all 22 ad platforms in June, and they moved to take down all of the campaign's malicious ads from their networks.

During their operation, the crooks showed malicious ads on 113 domains, including some big names such as The New York Times, Le Figaro, The Verge, PCMag, IBTimes, ArsTechnica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.

"Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, AdGholas shows that the threat is not diminishing," Proofpoint notes. "Instead, AdGholas is a vivid reminder that attackers continue to evolve. Their increasingly sophisticated techniques enable them to remain stealthy and effective even in the face of the latest defensive advances."