Adgholas malvertising group linked to UCL Trojan ransomware attack

News by Rene Millman

Hackers used Astrium exploit kit to deliver Mole ransomware in University College London malware attack, according to research by Proofpoint.

A number of universities in the UK were infected with ransomware via an AdGholas infection chain, according to new research by Proofpoint.

In a blog post, researcher Kafeine said that this was a marked departure from the banking Trojans this group usually distributes.

“Although the universities made headlines as a result of the infection, it appears that the attack was far more widespread, with malvertising appearing on a number of high-profile websites,” Kafeine said.

As reported by SC Media UK last week, University College London was one of several universities and other organisations affected by ransomware infection. The outbreak was contained with services restored on the Friday. The root cause was believed to be a phishing email but it was later found out to be a web-based attack.

Kafeine said that after discounting other ransomware and exploit kits in its forensic investigations, Proofpoint considered whether AdGholas and its use of the Astrum EK could be an infection vector, despite the fact that the ransomware payload was inconsistent with the activity of their usual customers who normally spread banking malware.

They looked at the command and control (C&C) IP address for the reported ransomware and found it was a Mole ransomware C&C based on ET Intelligence portal data. They said this matched other forensic information from the events. They also searched for malware samples contacting this IP and found two, both of which had submission filenames to VirusTotal (mopslb.tmp and ldmso.tmp) that were consistent with an Astrum payload name on disk.

“At that stage, we were almost convinced the events were tied to AdGholas/Astrum EK activity,” said Kafeine. “We confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com.”

According to Kafeine, this host was used in a malvertising campaign targeting a number of countries: Great Britain, Australia, Canada, Italy, Monaco, Liechtenstein, Luxembourg and Switzerland.

“Later, the host was also used in Japan, Taiwan, and the United States. We received confirmation that all of the compromised hosts also contacted the current Astrum IP,” they said.

They added that Astrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May. 

The introduction of Diffie-Hellman suggested that there might be a new exploit the actors are trying to hide in this chain. “Obtaining the patch state of the compromised hosts would help rule out this possibility,” said Kafeine.

Kafeine added that between 14 and 15 June, Astrum was dropping Mole ransomware in the United Kingdom and likely in the US.  Mole is a member of the CryptFile2/CryptoMix ransomware family

“We do not know the payloads in other countries, but, based on past activity, we are confident they were banking Trojans. Unlike ransomware, bankers are generally less noisy and often remain unnoticed by victims,” said Kafeine.

The researcher said that AdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today.

“Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the Advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets,” they said.

Fraser Kyne, CTO for Bromium, told SC Media UK that these attacks are becoming increasingly well designed, making it hard to spot such an attack.

“Imagine being a university worker, and it is close to holiday time. An advert comes pops up selling that cheap holiday to the Bahamas you had been dreaming of since the Christmas period – of course you are going to click on it. Before you know it you have infected your machine, and likely the entire network. For the bad guys this is an easy payload,” he said.

Andrew Clarke, EMEA Director for One Identity, told SC Media UK that the EK was updated to prevent security researchers from replaying their malicious network traffic. 

“The tools available to ransomware campaigns are getting increasingly powerful – resulting in impacted operations; reputational impact as well as longer term outages,” he said.

“Clearly for an exploit kit to work – it relies on unpatched vulnerabilities – not just Microsoft but other applications too such as Adobe – so a pro-active approach to patching helps avoid the troubles that come with the EK and the malicious payloads they are able to deliver.  And of course effective backups – since then at least the systems can be restored quickly if they do get infected.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews