![]() Given the potent combination of Astrum and AdGholas, a defense-in-depth approach to security is recommended. The cycle makes their activity (and attacks) more challenging to detect.Įxploit kits such as Astrum expose users to a plethora of threats-from personal information and financial theft to even encryption of important files-and can risk a company’s bottom line and business continuity. In Astrum’s case, the shadow domain is mapped to the exploit kit’s server and rotates the domain around every six hours. Shadowed domains can be traced to a black hat search engine optimization practice of creating websites expressly for search engine crawlers to generate rankings for the main domain. They do this by applying a free HTTPS certificate to a shadow domain, a website that diverts users to the actual or primary URL. Among them is CryptoMix: Mole, which first emerged in late April via abused Google Docs URLs.įigure 4: The certificate to a shadow domain used by AstrumĪstrum has also started using HTTPS to encrypt and conceal its malicious traffic. The ones we saw are variants (detected by Trend Micro as RANSOM_CRYPAURA.SHLDJ and RANSOM_CRYPAURA.F117FF) of CryptAura family. AdGholas is notorious for delivering multifarious threats, some of which include downloaders and banking Trojans Dreambot/Gozi/Ursnif and RAMNIT.īetween June 14 and 15, ProofPoint found that Astrum delivered ransomware, which is uncharacteristic (but unsurprising) of its usual payloads. On May 15, we saw Astrum’s activities pick up again, and we’ve uncovered that they’re delivered by the AdGholas malvertising operations. The same can be construed during the height of WannaCry ransomware’s outbreak and aftermath. When we saw the exploit kit back in May arming itself with anti-analysis capabilities as the exploit kit landscape continued to decline, we thought that it was only a matter of time before Astrum took advantage of the apparent lull by mounting actual malware campaigns. AdGholas was also notable for the scale of its campaigns and some of the techniques in its arsenal, like steganography. For instance, AdGholas is notorious for employing zero-day vulnerabilities in Internet Explorer, which other exploit kits would later incorporate. Through our collaborative analysis with ProofPoint, however, we found a correlation with a recent string of ransomware attacks in the UK.įigure 3: One of the malvertisements used by AdGholasĪstrum is known for being AdGholas’ partner-in-crime. Given Astrum’s capability to deter analysis and forensics, we were not able to capture the actual payloads the exploit kit delivered to different countries. We worked with ProofPoint’s Kafeine to retrace AdGholas’ activities.įigure 1: Timeline of AdGholas’ activity from May 14 to June 18, 2017įigure 2: Distribution of AdGholas’ activity per country ![]() The most impacted countries from its recent activity include the US, Japan, Italy, Australia, and UK. We were able to monitor 262,163 events triggered by AdGholas from May 14 to June 18, 2017. HTTPS-where the connection between the browser and application is encrypted with Transport Layer Security (TLS)-is employed to protect highly sensitive transactions such as online banking and shopping. The attacks we’ve seen are capable of concealing their malicious traffic using the Hyper Text Transfer Protocol Secure (HTTPS) protocol, which can make detection of their activities more challenging. We spotted a new AdGholas malvertising campaign using the Astrum exploit kit (also known as Stegano) across various countries. As AdGholas started to push the exploit, we saw another evolution: Astrum using HTTPS to further obscure their malicious traffic. At the end of April this year, we found Astrum exploit kit employing Diffie-Hellman key exchange to prevent monitoring tools and researchers from replaying their traffic.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |