A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware.
Kafeine, a white-hat who works for Proofpoint and is known for his research into exploit kits, said in a report published today that the group behind AdGholas is responsible. AdGholas are well known malvertising purveyors who have used steganography in the past to conceal attacks. In this case, the attacks used the Astrum Exploit Kit to spread the malware.
University College London, meanwhile, said today that all services have been returned to normal. As of Friday, personal storage and shared drives had been restored, and yesterday, write-access to the remaining shared drives was also restored.
The infection, the university said, was contained by last Thursday and that it was continuing to look into the root cause. Initially, officials said the attack started with a phishing email, but later reversed course and said the attack was web-based. Officials also said that services should be able to be restored from backup, sparing them the need to pay a ransom.
A dozen local and shared drives were infected, and the school initially called it a “zero-day attack.”
“Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident,” officials said last week. “We cannot currently confirm the ransomware that was deployed.”
Proofpoint said AdGholas’ use of ransomware in this attack is a departure from its normal tactic of spreading banking malware. Kafeine said the attack went beyond just UCL to other high-profile sites.
After ruling out other exploit kits and ransomware based on available forensics, Proofpoint investigated the possibility of the involvement of AdGholas and its use of Astrum to spread malware. One of the IP addresses found in the attack was a Mole command and control server; some malware samples contacting this IP had been submitted to VirusTotal and were consistent with a known Astrum payload.
“At that stage, we were almost convinced the events were tied to AdGholas/Astrum EK activity,” Kafeine wrote. “We confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com.”
The compromised domain was used in a number of malvertising campaigns across Europe and Asia, and Kafeine said all the compromised hosts also contacted the current Astrum command and control IP address, which offers full HTTPS support, Proofpoint said.
“Astrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May, Kafeine said, identifying a number of vulnerabilities exploit by the kit: CVE-2016-0189, CVE-2016-1019, and CVE-2016-4117. “The introduction of Diffie-Hellman suggests that there might be a new exploit the actors are trying to hide in this chain. Obtaining the patch state of the compromised hosts would help rule out this possibility.”
The exploit kit was spreading Mole ransomware on two days, June 14 and 15, in the U.K. and United States, while continuing to spread banking malware elsewhere.
Mole encrypts files and demands 0.5 Bitcoin to receive a decryption key that unlocks scrambled data.
“AdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today,” Kafeine wrote. “Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.”