The AdGholas malvertising network was using steganography, researchers reveal

Attacks leveraged advanced filtering techniques to target victims.

David bisson
David Bisson

The AdGholas malvertising network was using steganography, researchers reveal

The AdGholas malvertising network is the first to incorporate steganography into a drive-by malware campaign, claims new research released by security firm Proofpoint.

Proofpoint researchers say that they first came across the malvertising campaign back in October 2015. Immediately, they knew something was different about the infection chain, as they explain in a blog post:

“When we replayed the infection chain captured through automated browsing, we noticed that redirection was based on transmission of a cookie (‘utml’). Receipt of the cookie was conditioned by different language settings, time zone, and browser configuration (specifically, the absence of a Pragma-cache header, which is usually sent when Internet Explorer is using a proxy).”

Sign up to our free newsletter.
Security news, advice, and tips.


To better understand how the malvertising campaign worked, the researchers built a virtual machine with its own custom settings and put it through the campaign’s series of tests.

In the first round of checks, if the campaign did not select a user as a target, the machine displayed clean JavaScript and a straightforward banner. But if they were chosen based upon their language settings, time zone, and browser configuration, the JavaScript included some malicious code, and a different banner loaded up.

Just how “different,” you might ask? With the help of Trend Micro, Proofpoint’s research team determined the campaign was using steganography to conceal code in a banner responsible for loading up a malicious iframe.


The researchers also saw extensive use of filtering techniques in the second round of checks, including tactics which specifically looked out for software such as GeoEdge, Geosurf, and AdClarity ToolBar. The techniques also watched for Nvidia or ATI Drivers and OEMInfo/OEMLogo files, which would suggest users had a highly customized OEM version of Windows installed on their machines.

Through those checks, ProofPoint arrived at the final payloads of the campaign. Specifically, they found the malvertisers were leveraging the Angler exploit kit and later on the Neutrino exploit kit (which has been busy, as of late) to target users and infect them with a variety of malware.

In total, the crooks showed malicious ads on 113 domains, reports Softpedia, including The New York Times and The Verge. Those ads generated one to five million high quality client hits in traffic per day.


ProofPoint’s researchers agree that a campaign of AdGholas’ magnitude and sophistication demonstrates how exploit kit-based malvertising is not going to disappear anytime soon:

“Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, the example of AdGholas shows that it would be a mistake to assume this threat is diminishing. Instead, AdGholas demonstrates that malvertising campaigns continue to evolve and adopt increasingly sophisticated techniques that enable them to remain stealthy and effective even in the face of the latest defensive advances.”

However, the good news is that AdGholas itself has been disrupted:

“While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising.”

To help protect against exploit kit attacks, users should update their systems regularly and install a security solution onto their computers.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “The AdGholas malvertising network was using steganography, researchers reveal”

  1. rod

    you are usually very clear and didactic. I don't have a clue of what you are trying to explain this time.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.