Global malvertising campaign shuts down

The Shadowgate malware campaign has been halted by security firm Talos and hosting company GoDaddy

GoDaddy were found to be inadvertently hosting elements of the malvertising campaign
GoDaddy were found to be inadvertently hosting elements of the malvertising campaign

A worldwide campaign to spread malware through ads on websites has been shut down, according to researchers.

The malvertising campaign, which operated in North America, EU, Asia-Pacific and the Middle East, was discovered by Cisco's Talos Security Intelligence and Research Group.

Malware was propagated through ad networks, such as OpenX and Revive and appeared on many websites. A criminal gang known as Shadowgate bought ads on platforms that enabled them to add JavaScript code to ads. These ads drove users to special servers called "gates." These so-called gates would check the user's browser and OS, and if conditions were met, they would be redirected to another landing page where the Neutrino exploit kit would be used to infect a system with malware using flaws in unpatched software detected by the gates.

In most cases, criminals used the CrypMIC ransomware as this would not require any interaction from the user and would not draw attention to itself.

Many of the Shadowgate servers were hosted on servers and domains registered through GoDaddy. Talos worked alongside GoDaddy to shut down all the servers.

“GoDaddy quickly responded and was able to mitigate the threat successfully. As of the publishing of this blog the associated malvertising campaign appears to have been successfully shut down and the malicious activity thwarted. Unfortunately, as this is using domain shadowing it's likely the campaign will only remain dormant for a while, but until then users are protected from this specific threat,” said Cisco researcher Nick Biasini in a blog post.  

Javvad Malik, security advocate at AlienVault, told SCMagazineUK.com that setting up a malvertising campaign is unfortunately easier than taking one down.

“Criminals will always follow the money and the easiest way to distribute their wares. Unless there is a fundamental change in the online advertising model, there doesn't seem to be any indication that criminals will slow down,” he said.

He added that shutting down malvertising, bots, or other malicious infrastructure has always been a tough problem because it requires a co-ordinated effort that needs a lot of stakeholders across a wide geographic region. “Domain registrars, website owners, ad networks, law enforcement, researchers, and others all need to come together to successfully disrupt and take down such campaigns.”