AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware

Overview

The AdGholas group has been implicated in some of the largest malvertising campaigns we have ever observed. While this group has remained active, it appears that a number of universities in the United Kingdom were recently infected with ransomware via an AdGholas infection chain, a marked departure from the banking Trojans this group usually distributes. Although the universities made headlines as a result of the infection, it appears that the attack was far more widespread, with malvertising appearing on a number of high-profile websites.

Analysis

On June 15, 2017, several universities in the United Kingdom reported that they were victims of a ransomware attack [2] [3]. We decided to investigate this and ensure we were protecting and alerting our customers appropriately.

Because little information was available, we first followed public indicators [1] that actually pointed to an unrelated spam campaign: we had already internally documented this campaign spreading Dridex botnet ID 2302. We were unable to detect email activity explaining the reported infections and turned to assessing the drive-by landscape for associated activity. The Magnitude infection chain continued to avoid the UK while still spreading Cerber in Taiwan and the Republic of Korea. We also ensured that the EITest [5] infection chain in the UK was not redirecting to an exploit kit (EK). We were aware of an instance of RIG EK chain dropping GlobeImposter ransomware, but the scale did not match that of the outbreaks reported by the UK universities.

At this point, we began to consider whether AdGholas [11] into Astrum EK (also known as Stegano EK [12] [9]) might be the infection vector, despite the fact that the ransomware payload was inconsistent with the activity of their usual customers who normally spread banking malware.

We then learned that the command and control (C&C) IP address for the reported ransomware (137.74.163[.]43) was a Mole Ransomware C&C based on ET Intelligence portal data. This also matched other forensic information from the events.

Figure 1: ET Pro data for 137.74.163[.]43

We searched for malware samples contacting this IP and found two, both of which had submission filenames to VirusTotal (mopslb.tmp and ldmso.tmp) that were consistent with an Astrum payload name on disk.

At that stage, we were almost convinced the events were tied to AdGholas / Astrum EK ([11] [12]) activity. We confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com. We had been tracking its activity for several days with colleagues at Trend Micro and contacts in the Advertising industry.

Figure 2: Three AdGholas banners in use, captured June 9, 2017

Figure 3: Air booking template in use by Avia-Book; this is not seen by users but aimed at ad agencies, captured June 9, 2017

This host was used in malvertising campaign targeting a number of countries: Great Britain, Australia, Canada, Italy, Monaco, Liechtenstein, Luxembourg, and Switzerland. Later, the host was also used in Japan, Taiwan, and the United States. We received confirmation that all of the compromised hosts also contacted the current Astrum IP, 185.45.193[.]123.

We attempted to replicate the infection chain and successfully witnessed AdGholas activity but were not able to trigger the EK redirection.

Figure 4: AdGholas activity captured live on June 16, 2017

Figure 5: AdGholas Malvertising Chain with involved nodes highlighted, captured June 16, 2017

However, while we did not capture the redirection in our lab systems, we know this conditionally leads to Astrum hosted with full HTTPS support on the host 185.45.193[.]123. [13]

Figure 6: A Let’s Encrypt Certificate used by Astrum - June 15, 2017

Astrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May. Known CVEs used by Astrum include CVE-2016-0189 [7], CVE-2016-1019 [6], and CVE-2016-4117 [8]. The introduction of Diffie-Hellman [9] suggests that there might be a new exploit the actors are trying to hide in this chain. Obtaining the patch state of the compromised hosts would help rule out this possibility.

It appears that between June 14 and 15, Astrum was dropping Mole ransomware in the United Kingdom and likely in the US [4]. Mole is a member of the CryptFile2/CryptoMix ransomware family. We do not know the payloads in other countries, but, based on past activity, we are confident they were banking Trojans. Unlike ransomware, bankers are generally less noisy and often remain unnoticed by victims.

Figure 7: Sample of documented Astrum activity

Figure 8: _HELP_INSTRUCTION.TXT dropped by Mole ransomware on victim machines

Figure 9: Mole Ransomware Payment Server - June 15, 2017

Figure 10: Mole FILEs RETURN! Email - June 15, 2017

Conclusion

AdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today. Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the Advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.

Moreover, it is worth remembering that a common misperception about drive-by malvertising attacks remains prevalent: there is no need to click on the advertisement to be infected. It is enough simply to display the ad: if the machine is vulnerable and targeted, then the infection occurs without any user interaction.

Acknowledgements

We would like to thank first our colleagues Joseph C. Chen at Trend Micro and Frank Ruiz at Fox-IT InTELL for their tremendous help in this study. We would also like to thank people in the Advertising industry and on the victim side who helped us directly.

References

[1] https://twitter.com/TheRegister/status/875110325275643904

[2] https://www.ulster.ac.uk/isd/incident-response

[3] https://www.infosecurity-magazine.com/news/ucl-hit-by-major-ransomware-attack/

[4] http://www.radioiowa.com/2017/06/16/waverly-hospitals-computers-hacked-by-ransomware/

[5] https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme

[6] https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg

[7] http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html

[8] http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html

[9] http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/

[10] https://www.bleepingcomputer.com/forums/t/649297/mole02-virus/

[11] https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight

[12] https://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

[13] http://blog.trendmicro.com/trendlabs-security-intelligence/adgholas-malvertising-campaign-employs-astrum-exploit-kit/

Indicators of Compromise

Select ET Signatures that would fire on such traffic:

2024203 || ET TROJAN Win32/Mole Ransomware CnC Beacon