SECURITY OUTFIT PROOFPOINT has made its point again and uncovered a thing called AdGholas which it warned is a pretty damn significant malvertising campaign.
The firm has already smashed the campaign into the ground, thanks to work with service providers and fellow security company Trend Micro.
The campaign was used by three groups, and a number of websites were affected by the placement of infected adverts.

A Proofpoint blog post explained that victims included the Belfast Telegraph and a French hotel.

“Proofpoint researchers have discovered and analysed a massive malvertising network operating since 2015, run by a threat actor we designated as AdGholas and pulling in as many as one million client machines per day,” the firm said.
“This malvertising operation infected thousands of victims every day using a combination of techniques including sophisticated filtering and steganography, as analysed by fellow researchers at Trend Micro.
“While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising.”
Proofpoint does a lot of this sort of thing, and just recently cast a dark light over Pokémon.
AdGholas might seem like any other old malvertising whack but is a bit of a pioneer in that it is first such campaign to use stenography in drive-by malware attacks.
“This campaign represents the first documented use of steganography in a drive-by malware campaign, and the attacks employed ‘informational disclosure’ bugs perceived to be low risk to stay below the radar of vendors and researchers,” Proofpoint said.
AdGholas even used evasive tactics to avoid discovery and suspicion, and redirected or mimicked legitimate sites when under close inspection.

And it did all this undetected for over a bloody year.
We guess the lesson here is to trust in security companies and don’t click on links that don’t look kosher.

Easier said than done. µ

Leave a Reply