Huge malvertising campaign uses steganography to hide malware in plain sight

By encoding malware in innocuous-looking images and only decoding it once the victim has been found to be "safe", creators of AdGholas managed to hide their malvertising campaign for over a year.

Don't be fooled by their cuteness – they could pwn your computer [Editor's note: It's actually safe, we're just making a point ;)]
Don't be fooled by their cuteness – they could pwn your computer [Editor's note: It's actually safe, we're just making a point ;)]

A massive malvertising campaign has been discovered running since last summer, infecting thousands of users' computers.

Security researchers from Proofpoint stumbled upon the campaign last October while investigation other attacks codenamed GooNky and VirtualDonna. The present campaign has been dubbed AdGholas and uses techniques such as steganography and sophisticated filtering to avoid detection and spread as widely as possible.

The investigation was a collaborative effort between Proofpoint and Trend Micro. In a blog post, Proofpoint said that it combined intelligence it gathered with telemetry data from Trend Micro to get an idea of the scale of the campaign.

“Before AdGholas suspended operation, we witnessed geo-focused banking Trojans being dropped on the compromised computers upon successful infection. For example, Gozi ISFB was dropped in Canada, Terdot.A (aka DELoader) in Australia, Godzilla loaded Terdot.A in Great Britain, and Gootkit was dropped in Spain. It seems that there are four different Neutrino threads, as Neutrino is not including an internal TDS while Blackhole, Angler and Nuclear were,” the firm said.

Criminals used over 100 ad exchanges to distribute malware, gaining around five million page impressions per day. The researchers estimated that up to 20 percent of computers loaded dodgy ads that redirected to servers hosting exploit kits.

The malvertising code used checks to ensure potential victims weren't actually security researchers using virtual machines or the ad networks themselves to find malware. It also filtered victims based on geolocation to target victims in specific regions, possibly at the request of cyber-criminals behind banking Trojans that paid the AdGholas criminals to distribute malware.

Another way the criminals evaded detection was in the use of steganography, hiding encrypted JavaScript code in images, text and HTML. This code was only extracted and decrypted if the computer passed certain tests. The firm said this was the first time it had observed the technique used in malvertising.

It was these techniques that allowed the campaign to go unnoticed for nearly a year.

"Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, AdGholas shows that the threat is not diminishing," Proofpoint said. "Instead, AdGholas is a vivid reminder that attackers continue to evolve. Their increasingly sophisticated techniques enable them to remain stealthy and effective even in the face of the latest defensive advances."

Mark James, security specialist at ESET, told SCMagazineUK.com that the complexity of this campaign enabled it to stay undetected for so long. “For malvertising to be really effective it needs to stay under the radar, mimicking the real thing, to not only fool you, but more importantly fool the ad agencies it needs to work closely with,” he said.

“Making sure your operating systems and applications are all up-to-date, and that you have a good regular updating internet security product will help you stay safer. Good multilayer protection is the only way you will stay safe these days, relying on single measures is just not good enough anymore.”

Thomas Pore, director of IT at Plixer, told SC that the detection and analysis of AdGholas shows how creative, resilient and money hungry cyber-criminals are.

“Advertising is an excellent way to get content in front of a large audience quickly and by using advertising to redirect to a malicious site, users do not need to click anything,” he said.

“While steganography has been used in other malware campaigns, this is the first documented case of its use in a drive-by campaign with advertising. By hiding encrypted iframe redirect JavaScript inside an image and using a process to decrypt and exploit demonstrates that regardless of your security layers, cyber-criminals have the advantage of innovation to target users.”