A treacherous malicious advertising campaign is making a comeback on major publishing websites including the likes of MSN and Yahoo, merely months after researchers discovered and were thought to have ended the campaign.

Malvertising, or malicious software delivered through advertisements, is an extremely effective way to target and infect a large number of computers. They are typically embedded into ad networks and trigger a cyberattack when the ads are viewed, often unbeknownst to the victim.

A malicious group dubbed AdGholas, has been known to deliver malware payloads through advertisements in the past. The group’s last-known campaign was shut down in July 2016, after infecting at least a million computers a day with malware.

However, a new ad campaign is turning heads again and the advertising agency is not having an easy time diffusing these malicious payloads, even after realizing that the threat is real. According to Jerome Segura, lead malware intelligence analyst at Malwarebytes, the attack campaigns triggered by AdGholas can be blocked in the short-term. However, significant security weaknesses in the online advertising industry means that malicious groups will target websites with new and modified attack patterns, the researcher says.

A Technically Sound Attack Campaign

AdGholas’ latest campaign sees it distribute malvertising through ‘Browser Defense’ a malicious piece of software purporting to be a privacy tool and Broxu, a screen-capture application. The ad looks for a known information leakage vulnerability on Internet Explorer, even if the user avoids clicking on the advertisement, according to Eset.

Here, the vulnerability allows the attacker to obtain key facts and information about the computer. Before proceeding with an attack, the cybercriminal is able to ascertain if the computer is running an anti-virus program or other security software. The information even reveals if the computer is actually a virtual machine.

Picking out the malvertising campaign by AdGholas specifically, Segura stated:

It is one of the most advanced malvertising attacks that I’ve ever witnessed.

Typically, cybercriminals avoid running malware on computers if they suspect that their campaign is being studied, in order to further the longevity of the campaign by avoiding discovery from researchers. However, in the case of AdGholas’ malvertising campaign, the information gathered includes the computer’s performance stats, the locations of its installed video drivers and even the computer’s time zone. These checks are pored over multiple times before the victim is chosen.

“These kind of things are absolutely insane from our point of view,” Segura added. “That level of detail is just very, very advanced. The group is very paranoid.”

When a victim is chosen, the browser redirects the victim to a landing page hosting Astrum, an exploit kit that then attempts to exploit vulnerabilities in the notoriously exploitable Flash Player.

Segura was able to observe a full attack after many attempts of trying to trigger an attack by AdGholas’ campaign. Yahoo was notified of the attack around November 27 according to Data Breach Today. However, merely two days later, the malicious advertisements were back. AdGholas has simply changed the domain used for the domain used for the attacks.

A lack of quality control in ad networks has seen the latest round of attacks by AdGholas targeting computers in the U.K., Australia, Spain, Italy, Canada and Switzerland while avoiding computers in the U.S.

The failure of quality control also means that the malvertising campaign can target and figure on major websites which sees millions of visitors.

Segura added:

If they’re not seeing it, we’re in serious trouble here. These attacks are happening and nobody is really aware of them.

Image credit: Flickr.