For over a year attackers were able to carry out a malvertising campaign that managed to draw between one and five million client hits a day, according to researchers. The scam infected thousands a day using a one-two-punch of filtering and steganography, the art of hiding information inside messages or image.
The attackers behind the campaign suspended their operation last week, according to experts at Proofpoint, who have been tracking their moves since October 2015. While the researchers first honed in on the group, which it calls AdGholas, in October, they claim that evidence points to it having been in operation as early as 2013.
While using steganography to conceal attacks isn’t new – malware authors have been using the practice for years – this is reportedly the first time its been seen used in a drive-by malware campaign like this.
Researchers claim that hidden in JavaScript filtering code used by the campaign was more code that used an API to read a PNG and extract even more JavaScript. Users would get infected by browsing a site, after which they’d get redirected to a cloned version of a legitimate site, tricking victims into thinking everything was normal.
The campaign, at least for a while, was dependent on exploit kit traffic Proofpoint acknowledged. When Angler went offline in early June, AdGholas went silent for two weeks before reemerging at the tail end of that month, spread by the Neutrino exploit kit. Ten to 20 percent of the millions of hits it got a day were ultimately redirected back to an exploit kit.
“Recent observations suggest that AdGholas or close distribution partners might have started operating the reverse proxies serving the involved instance of exploit kit at the end of April. These were the only instances featuring “gzipped” Angler EK traffic, and lately their Neutrino traffic was gzipped as well,” Proofpoint researchers wrote Thursday.
The campaign also dropped region-specific Trojans on victims. Computers in Canada were hit with the banking Trojan Gozi ISFB, Australian computers were hit by Terdot.A, while computers in Spain received another banking Trojan, Gootkit.
Proofpoint notified a handful of advertising network operators of the campaign who were apparently quick to address it.
“We would also like to thank all the contacts in the advertising industry (directly involved or not) who were swift to react upon notification and helped us take action on this malicious activity. It appears their action was strong enough to have all AdGholas campaigns suspended as of the morning of July 20, 2016,” the researchers wrote.
Last fall at Black Hat Europe researchers from two different firms partnered to give a presentation on campaigns that were using steganography to prosper . Pierre-Marc Bureau, a senior security researcher at Dell SecureWorks and Dr. Christian Dietrich, a senior researcher with Crowdstrike acknowledged that the medium had arrived as a legitimate way for attackers to obscure interactions with command and control servers.
A strain of malware found by Dell last summer, Stegoloader, hid malware in images. After a machine had been compromised it used a deployment module that called on a PNG to grab malware from a legitimate hosting site.