London, UK – July 6, 2017 – This group has been operating for several years and uses its malvertising network for infecting their victims with a variety of viruses. Despite the fact that their activities have long been known, AdGholas group is still active and evolving its methods. Adversaries use steganography and filtering techniques, receiving traffic from more than 20 different AdAgency / AdExchange platforms. AdGholas selects 1-5 million hits and redirects to clones of real sites where exploit kits are downloaded to victims’ computers. Attackers distribute Banking Trojans mainly (the viruses used vary according to geography, for example Gozi ISFB – in Canada, Terdot.A – in Australia, Gootkit – in Spain), but also have been spotted for the spread of Ransomware (in the United Kingdom and the United States).
Malvertising campaigns continue to evolve and actors use increasingly sophisticated techniques, allowing them to remain undetected. They pose a serious danger both for business and for public sector. With SIEM and Ransomware Hunter and APT Framework use cases you can detect the use of exploits, as well as Trojans and Ransomware activities. The recent use of Ransomware by the AdGholas group shows that attackers try to expand their capacity, and, perhaps, soon we will learn about a new large-scale APT-campaign.