Security researchers have recently uncovered a large-scale malvertising attack run by KovCoreG, a group best known for the widespread distribution of Kovter ad fraud malware on the web through affiliate models.
The attack chain, which has been active and ongoing elsewhere for no less than one year, exposed millions of internet users to the malware through a sham software update scheme to popular web browsers.
According to a report by InfoSec firm Proofpoint, potential victims were tricked into installing the malware on their devices. The infection pathway has, however, been shut down following a notification to the site operators of both PornHub and Traffic Junky.
Background
Ad fraud campaigns remain a profitable enterprise for adversaries who can achieve large-scale malware distribution effectively—especially to less vulnerable machines.
Over the last year, there has been a dramatic decline in these exploits. However, due to better detection mechanisms by vendors and security researchers, threat actors have been improving their infection rates through social engineering and advanced filtering techniques. These forms of attack seem to be more successful and less noticed, compared to the widespread use of exploits.
KovCoreG, through a highly-active social engineering scheme, managed to infiltrate the advertising chain of PornHub, one of the largest and most popular adult sites. The site has over 26 billion visits per year, making it the world’s 38th most visited website, according to data from a U.S.-based Alexa ranking firm.
The malware infection chain KovCoreG group carried out with this attack infected users’ devices with the Kovter malware, a malicious software that would help them generate money through fake adverts, clicks and other online fraud methods.
In this particular attack, Proofpoint researchers studied the Kovter malware infection chain on common browsers for Windows, namely Mozilla Firefox, Google Chrome and Microsoft Edge (Internet Explorer).
The chain operated in a similar fashion in all cases, where the compromised ad network redirected Chrome and Firefox users to a third-party site—a malicious website or social engineering page that claimed to offer free software updates for their browser, or an Adobe Flash plugin update.
Proofpoint VP of Operations Kevin Epstein explained that if a user downloaded and opened the “update” file, they unknowingly installed the Kovter malware program, which would then take over their machine.
The malware could then open invisible web browser processes that clicked on ads, in turn generating potential revenue for the cybercriminals.
Kovter is known as a highly persistent malware that operates on a machine without the user noticing any changes in the system. The malware’s developers used filters to serve malicious ads in specific geographical regions and Internet Service Providers (ISPs), mainly targeting users in the U.S., the U.K., Canada and Australia.
Other mechanisms deployed include fingerprinting by time zones, deploying user or browser language and utilizing screen dimension and history length of the running browser windows. This helped the KovCoreG group target more vulnerable users and, at the same time, evade analysis.
The researchers also revealed a JavaScript code that redirected Chrome users back to a KovCoreG-controlled server. Kovter malware developers used it to prevent security researchers from deciphering the program’s infection chain. Proofpoint researchers, however, say that the affected operators took remediation to prevent further threats upon notification.
Avoiding Malvertising Campaigns
The number of ad fraud campaigns currently taking place on top-ranking websites is highly increasing, meaning that the potential exposure to insecure ads and malware on the web is quite high.
Again, threat actors are adopting more advanced tools and approaches to run their exploits. While the adversary can steal the victim’s information, other types of malware (such as ransomware) might hold any average user hostage.
Therefore, it is advised that you run anti-malware security solutions and get the latest updates for your application programs regularly to avoid getting tricked by cyber criminals.
Through social engineering, malware-related ads can be found even in the most legitimate and secure websites. For instance, sites as popular as The New York Times, the NFL website and BBC have all been hit with malicious ad campaigns. On the other hand, fake download sites often resemble the original ones. It is therefore easy to get fooled.
The main way to evade this kind of malware is to avoid clicking on any pop-up notification that prompts you to download something—however critical or essential the update might seem. More importantly, it’s important to use an anti-virus program and update your browser, then set it to detect insecure traffic.