Security researchers from Proofpoint and Trend Micro have uncovered a massive malvertising campaign that has been targeting over one million users per day and infecting thousands, running since the summer of 2015, with unconfirmed clues showing that it might date back to as early as 2013.

Researchers first spotted the campaign last October, when they were investigating two other massive and more easy-to-spot malvertising attacks codenamed GooNky and VirtualDonna.

According to subsequent research carried out by both companies, this campaign codenamed AdGholas used innovative and sophisticated techniques to avoid detection.

AdGholas Malvertising campaign hit 22 ad networks

Crooks used 22 different ad networks to display their ads on a large number of legitimate sites.

They used the traffic filtering controls provided by the advertising platforms to show their malicious ads only to the audience they were interested in targeting.

However, the group wasn't satisfied and also used additional homegrown fingerprinting scripts to filter the users who clicked on the ads or were redirected to their own malicious domains.

These additional filters used several information disclosure bugs to leak details about the user's operating systems.

Crooks searching for users running OEM versions of Windows

The crooks were interested in users who had Nvidia or ATI drivers installed and OEM logos on their PCs, as a sign that they were using a highly customized OEM version of Windows.

Furthermore, this malvertising campaign marks the first time that crooks leveraged steganography to transmit malicious code embedded in malicious banner ads.

All of these advanced methods of filtering the ad traffic allowed the campaign to go unnoticed for almost a year.

Malvertising campaign infected users with multiple types of malware

During this time, researchers noticed the groups used the Angler exploit kit to infect users, and later the Neutrino exploit kit, after Angler shut down operations.

When someone reached the exploit kit landing pages, they would be infected with a broad range of malware, usually different based on the user's location.

Proofpoint says that exploit kits delivered Gozi ISFB malware in Canada, Terdot.A (DELoader) in Australia, Godzilla-loaded Terdot.A in Great Britain, and Gootkit in Spain.

113 legitimate sites helped drive traffic to the crook's malicious servers

The two security firms notified all 22 ad platforms in June, and they moved to take down all of the campaign's malicious ads from their networks.

During their operation, the crooks showed malicious ads on 113 domains, including some big names such as The New York Times, Le Figaro, The Verge, PCMag, IBTimes, ArsTechnica, Daily Mail, Telegraaf, La Gazetta dello Sport, CBS Sports, Top Gear, Urban Dictionary, Playboy, Answers.com, Sky.com, and more.

"Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, AdGholas shows that the threat is not diminishing," Proofpoint notes. "Instead, AdGholas is a vivid reminder that attackers continue to evolve. Their increasingly sophisticated techniques enable them to remain stealthy and effective even in the face of the latest defensive advances."