{
	"id": "564a2f10-3d82-45c2-97ac-c65534df58ab",
	"created_at": "2026-04-06T00:12:26.018327Z",
	"updated_at": "2026-04-10T03:20:03.989336Z",
	"deleted_at": null,
	"sha1_hash": "cb74f2ab81cfe81443dffc7aa6b2c6ee53564e6c",
	"title": "AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1749592,
	"plain_text": "AdGholas Malvertising Campaign Using Astrum EK to Deliver\r\nMole Ransomware | Proofpoint US\r\nBy June 20, 2017 Kafeine\r\nPublished: 2017-06-20 · Archived: 2026-04-05 23:02:42 UTC\r\nOverview\r\nThe AdGholas group has been implicated in some of the largest malvertising campaigns we have ever observed.\r\nWhile this group has remained active, it appears that a number of universities in the United Kingdom were\r\nrecently infected with ransomware via an AdGholas infection chain, a marked departure from the banking Trojans\r\nthis group usually distributes. Although the universities made headlines as a result of the infection, it appears that\r\nthe attack was far more widespread, with malvertising appearing on a number of high-profile websites.\r\nAnalysis\r\nOn June 15, 2017, several universities in the United Kingdom reported that they were victims of a ransomware\r\nattack [2] [3]. We decided to investigate this and ensure we were protecting and alerting our customers\r\nappropriately.\r\nBecause little information was available, we first followed public indicators [1] that actually pointed to an\r\nunrelated spam campaign: we had already internally documented this campaign spreading Dridex botnet ID 2302.\r\nWe were unable to detect email activity explaining the reported infections and turned to assessing the drive-by\r\nlandscape for associated activity. The Magnitude infection chain continued to avoid the UK while still spreading\r\nCerber in Taiwan and the Republic of Korea. We also ensured that the EITest [5] infection chain in the UK was\r\nnot redirecting to an exploit kit (EK). We were aware of an instance of RIG EK chain dropping GlobeImposter\r\nransomware, but the scale did not match that of the outbreaks reported by the UK universities.\r\nAt this point, we began to consider whether AdGholas [11] into Astrum EK (also known as Stegano EK [12] [9])\r\nmight be the infection vector, despite the fact that the ransomware payload was inconsistent with the activity of\r\ntheir usual customers who normally spread banking malware.\r\nWe then learned that the command and control (C\u0026C) IP address for the reported ransomware (137.74.163[.]43)\r\nwas a Mole Ransomware C\u0026C based on ET Intelligence portal data. This also matched other forensic information\r\nfrom the events.\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 1 of 10\n\nFigure 1: ET Pro data for 137.74.163[.]43\r\nWe searched for malware samples contacting this IP and found two, both of which had submission filenames to\r\nVirusTotal (mopslb.tmp and ldmso.tmp) that were consistent with an Astrum payload name on disk.\r\nAt that stage, we were almost convinced the events were tied to AdGholas / Astrum EK ([11] [12]) activity. We\r\nconfirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com. We had\r\nbeen tracking its activity for several days with colleagues at Trend Micro and contacts in the Advertising industry.\r\nFigure 2: Three AdGholas banners in use, captured June 9, 2017\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 2 of 10\n\nFigure 3: Air booking template in use by Avia-Book; this is not seen by users but aimed at ad agencies, captured\r\nJune 9, 2017\r\nThis host was used in malvertising campaign targeting a number of countries: Great Britain, Australia, Canada,\r\nItaly, Monaco, Liechtenstein, Luxembourg, and Switzerland. Later, the host was also used in Japan, Taiwan, and\r\nthe United States. We received confirmation that all of the compromised hosts also contacted the current Astrum\r\nIP, 185.45.193[.]123.\r\nWe attempted to replicate the infection chain and successfully witnessed AdGholas activity but were not able to\r\ntrigger the EK redirection.\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 3 of 10\n\nFigure 4: AdGholas activity captured live on June 16, 2017\r\nFigure 5: AdGholas Malvertising Chain with involved nodes highlighted, captured June 16, 2017\r\nHowever, while we did not capture the redirection in our lab systems, we know this conditionally leads to Astrum\r\nhosted with full HTTPS support on the host 185.45.193[.]123. [13]\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 4 of 10\n\nFigure 6: A Let’s Encrypt Certificate used by Astrum - June 15, 2017\r\nAstrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May.\r\nKnown CVEs used by Astrum include CVE-2016-0189 [7], CVE-2016-1019 [6], and CVE-2016-4117 [8]. The\r\nintroduction of Diffie-Hellman [9] suggests that there might be a new exploit the actors are trying to hide in this\r\nchain. Obtaining the patch state of the compromised hosts would help rule out this possibility.\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 5 of 10\n\nIt appears that between June 14 and 15, Astrum was dropping Mole ransomware in the United Kingdom and likely\r\nin the US [4]. Mole is a member of the CryptFile2/CryptoMix ransomware family. We do not know the payloads\r\nin other countries, but, based on past activity, we are confident they were banking Trojans. Unlike ransomware,\r\nbankers are generally less noisy and often remain unnoticed by victims.\r\nFigure 7: Sample of documented Astrum activity\r\nFigure 8: _HELP_INSTRUCTION.TXT dropped by Mole ransomware on victim machines\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 6 of 10\n\nFigure 9: Mole Ransomware Payment Server - June 15, 2017\r\nFigure 10: Mole FILEs RETURN! Email - June 15, 2017\r\nConclusion\r\nAdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain\r\nknown today. Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of\r\nhow the Advertising industry operates allow these threat actors to lure large agencies to bring them high volumes\r\nof traffic from high-value website and targets.\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 7 of 10\n\nMoreover, it is worth remembering that a common misperception about drive-by malvertising attacks remains\r\nprevalent: there is no need to click on the advertisement to be infected. It is enough simply to display the ad: if the\r\nmachine is vulnerable and targeted, then the infection occurs without any user interaction.\r\nAcknowledgements\r\nWe would like to thank first our colleagues Joseph C. Chen at Trend Micro and Frank Ruiz at Fox-IT InTELL for\r\ntheir tremendous help in this study. We would also like to thank people in the Advertising industry and on the\r\nvictim side who helped us directly.\r\nReferences\r\n[1] https://twitter.com/TheRegister/status/875110325275643904\r\n[2] https://www.ulster.ac.uk/isd/incident-response\r\n[3] https://www.infosecurity-magazine.com/news/ucl-hit-by-major-ransomware-attack/\r\n[4] http://www.radioiowa.com/2017/06/16/waverly-hospitals-computers-hacked-by-ransomware/\r\n[5] https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme\r\n[6] https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg\r\n[7] http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html\r\n[8] http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html\r\n[9] http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/\r\n[10] https://www.bleepingcomputer.com/forums/t/649297/mole02-virus/\r\n[11] https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight\r\n[12] https://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/\r\n[13] http://blog.trendmicro.com/trendlabs-security-intelligence/adgholas-malvertising-campaign-employs-astrum-exploit-kit/\r\nIndicators of Compromise\r\nDomain | IP Comment\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 8 of 10\n\nsess.sansanich[.]net|192.200.125[.]110 Astrum - 2017-05-15\r\nindi.kmlaustenesq[.]com|192.200.125[.]110 Astrum - 2017-05-25\r\nific.finethreadsbespoketailors[.]com|188.138.125[.]39 Astrum - 2017-05-30\r\nrequ.scorpyking-slim[.]com|192.52.167[.]220 Astrum - 2017-06-06\r\nunvai.albrightalliance[.]com|185.45.193[.]123 Astrum - 2017-06-12\r\nolved.qedgejobs[.]com|185.45.193[.]123 Astrum - 2017-06-14\r\ntioze.rigimediadity[.]cricket|104.200.67[.]126 Astrum - 2017-03-30\r\nlity.albrightalliance.com|185.45.193[.]123 Astrum - 2017-06-14\r\ncompr.darthom[.]com|188.165.62[.]20 Astrum - 2017-03-30\r\nmous.straightorwadly[.]top|185.61.149[.]52 Astrum - 2017-04-03\r\navia-on[.]com|195.123.218[.]25 AdGholas - 2017-06-02\r\nad14.traffic-market[.]com|107.181.174[.]121 AdGholas - 2017-05-15 \u003e 21\r\nwww.aviasales-online[.]com|5.34.180[.]215 AdGholas - 2017-05-25/26\r\nhotels-onlinebook[.]com|107.181.174[.]140 AdGholas - 2017-05-28/29\r\navia-discount[.]com|195.123.212[.]72 AdGholas - 2017-05-30\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 9 of 10\n\navia-book[.]com|195.123.209[.]229 AdGholas - 2017-06-08 \u003e 14\r\nebooking-hotels[.]com|185.82.217[.]43 AdGholas - 2017-05-27\r\nhotels-ebook[.]com|185.82.217[.]127 AdGholas - 2017-05-30\r\navia-bookings[.]com|82.118.17[.]132 AdGholas - 2017-06-01\r\n137.74.163[.]43 Mole C2\r\nsupportjy2xvvdmx[.]onion Mole Payment Server\r\ndecodefiles@post[.]com Files Return email sender\r\n1CzoVXuzrKAe6ancEdMsfSkyzWffzyakUe Bitcoin address mentioned in “Files Return” Email\r\nsha256 Comment\r\n7b3075b1a8cc0163d1e12000338adf3ed8a69977c4d4cacfc2e20e97049d727a\r\nMole Ransomware - 2017-\r\n06-14\r\n846416b8b5d3c83e0191e62b7a123e9188b7e04095a559c6a1b2c22812d0f25e\r\nMole Ransomware - 2017-\r\n06-14\r\nSelect ET Signatures that would fire on such traffic:\r\n2024203 || ET TROJAN Win32/Mole Ransomware CnC Beacon\r\nSource: https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nhttps://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware\r\nPage 10 of 10\n\n https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware     \nFigure 1: ET Pro data for 137.74.163[.]43    \nWe searched for malware samples contacting this IP and found two, both of which had submission filenames to\nVirusTotal (mopslb.tmp and ldmso.tmp) that were consistent with an Astrum payload name on disk.\nAt that stage, we were almost convinced the events were tied to AdGholas / Astrum EK ([11] [12]) activity. We\nconfirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com. We had\nbeen tracking its activity for several days with colleagues at Trend Micro and contacts in the Advertising industry.\nFigure 2: Three AdGholas banners in use, captured June 9, 2017  \n   Page 2 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware"
	],
	"report_names": [
		"adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434346,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb74f2ab81cfe81443dffc7aa6b2c6ee53564e6c.pdf",
		"text": "https://archive.orkl.eu/cb74f2ab81cfe81443dffc7aa6b2c6ee53564e6c.txt",
		"img": "https://archive.orkl.eu/cb74f2ab81cfe81443dffc7aa6b2c6ee53564e6c.jpg"
	}
}