The AdGholas malvertising threat group used the Astrum exploit kit to infect victims with Mole ransomware, a variant of CryptoMix.
The AdGholas malvertising threat group used the Astrum exploit kit to infect victims with Mole ransomware, a variant of CryptoMix.

The AdGholas malvertising threat group conducted a new campaign in May and June 2017 using the Astrum exploit kit to infect victims with Mole ransomware – an unusual change-up for these adversaries, who historically have favored banking trojans, according to researchers from Trend Micro and Proofpoint.

According to a Proofpoint blog post, AdGholas' Mole victims included several universities in the UK, including University College London and Ulster University. Mole is a derivative of the CryptoMix ransomware family.

A separate blog post from Trend Micro referenced a total of 262,163 events caused by AdGholas from May 14 to June 18, noting prominent activity in the U.S. (33.46% of incidents), Japan (31.59%), Italy (8.78%), Australia (7.56%) and the U.K. (5.11%). Proofpoint suspects that only U.K. and U.S. organizations were actually delivered ransomware, while other countries continued to receive banking malware.

Proofpoint also reported that organizations in Canada, Monaco, Liechtenstein, Luxembourg, and Switzerland were also targeted by the latest malvertising campaign, which based on Trend Micro observations peaked on June 8 with approximately 40,000 events.

Both companies reported that around the time that AdGholas actors started leveraging Astrum, the exploit kit began using HTTPS to further obscure its malicious traffic. "They do this by applying a free HTTPS certificate to a shadow domain, a website that diverts users to the actual or primary URL," explains Trend Micro fraud researcher Joseph Chen, in his company's blog post. "Shadowed domains can be traced to a black-hat search engine optimization practice of creating websites expressly for search engine crawlers to generate rankings for the main domain. In Astrum's case, the shadow domain is mapped to the exploit kit's server and rotates the domain around every six hours. The cycle makes their activity (and attacks) more challenging to detect."

Additionally, in April 2017 Astrum adopted the Diffie-Hellman cryptographic key exchange "to prevent monitoring tools and researchers from replaying their traffic," Chen wrote.

In his own company's report, Proofpoint researcher and blog post author "Kafeine" said that an AdGholas malvertising campaign redirecting to the Astrum EK "is the most evolved blind mass infection chain known today. Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets."

Researchers from FOX-IT also reportedly participated in the malvertising analysis.