The mobile ransomware infections that hit a number of universities in the U.K. recently have been traced back to a malvertising network and the Astrum exploit kit.
The attacks against several universities, including University College London, emerged last week and initially there were fears that they were connected to the WannaCry ransomware outbreak. But researchers at Proofpoint have dug into the information on the attacks and discovered that they were the result of a malvertising network that was redirecting users to sites hosting the Astrum exploit kit. That kit uses exploits for a number of different vulnerabilities and Proofpoint’s researchers found that during the time of the university infections Astrum was installing the Mole ransomware.
Officials at UCL said at the time of the infection on June 14 that the infection may have come from users who hit a compromised website, which lines up with Proofpoint’s findings.
“Our current hypothesis is that the infection started as a result of UCL users visiting a website that had been compromised. Clicking on a popup or even just visiting a compromised site may have then introduced the malware to their device. The website could be one that they use regularly. We are still trying to confirm this and determine the site that may have caused the infection,” the university said in a statement.
The AdGholas malvertising network has been used for a number of large campaigns, but most of them have involved the installation of banking trojans. The attacks in the U.K. were different due to the use of the Mole ransomware, and also the fact that the entire infection chain used HTTPS connections.
“It appears that between June 14 and 15, Astrum was dropping Mole ransomware in the United Kingdom and likely in the US. Mole is a member of the CryptFile2/CryptoMix ransomware family. We do not know the payloads in other countries, but, based on past activity, we are confident they were banking Trojans. Unlike ransomware, bankers are generally less noisy and often remain unnoticed by victims,” the report from Proofpoint researcher Kafeine says.
“AdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today. Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the Advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.”
The Mole infection chain is interesting not just for the use of HTTPS, but also for the fact that users could be infected just by visiting a site that displayed one of the malicious ads. Users running a vulnerable version of a browser targeted by the exploit kit would be infected as soon as they hit the site with the malicious ad. Many ransomware infections result from victims clicking on malicious links or opening infected attachments, but the use of exploit kits to deliver the ransomware makes the problem even more difficult.
CC By-SA license image from Steve Cadman