Porn Site Becomes Hub for KovCoreG Group Malvertising Campaigns

ID THREATPOST:98708F4ACD59D99EC0B2B9D7046525C1
Type threatpost
Reporter Tom Spring
Modified 2017-10-10T13:53:18


Pornhub, a top-20 ranked U.S. website according to Alexa, was serving up large-scale malvertising attacks exposing millions of visitors to click-fraud.

Behind the attacks is the KovCoreG Group, best known for distributing Kovter click-fraud malware. The campaigns, spotted by researchers at Proofpoint, also impacted a number of other major websites that used the TrafficJunky advertising network that was exploited by the adversaries. The ad network works primarily with adult-themed websites, based on a review of its marketing material.

“This attack chain exposed millions of potential victims in the U.S., Canada, the U.K., and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers,” wrote Proofpoint in a blogpost explaining KovCoreG’s recent activity and its most recent campaigns targeting Pornhub.

Pornhub and TrafficJunky did not respond to inquiries for this story.

Researchers said the attacks have been ongoing for the past year, but these recent campaigns are notable given the popularity of the site impacted. Pornhub receives on average 8.7 million unique visitors a day.

“We do not have data on the precise length of time that Pornhub and TrafficJunky were compromised but, as noted, we know that the KovCoreG Group has been using this type of attack on multiple sites for over a year,” said Kevin Epstein, VP of threat operations at Proofpoint in an interview with Threatpost. “It is likely that Pornhub in particular was being abused for some time, although both Pornhub and TrafficJunky moved very quickly to address the issue as soon as we informed them of the problem.”

The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network. Once the adversary qualifies a victim by browser and geographic region, a malicious ad “delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds,” researchers said.

Researchers cautioned, there are no links between those behind the Neutrino exploit kit and KovCoreG other than some shared code used by a possible common coder.

“Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce,” researchers said. To improve infection rates criminals have turned to advanced filtering techniques and social engineering over the use of exploits.

As for Chrome users stumbling on the malvertising campaign via Pornhub, a fake browser update massage “Critical Chrome update” is presented to the potential victims. If the target clicks on the “Download Now” link a zipped runme.js file is dropped onto the target’s PC.

“The runme.js file associated with the fake Chrome update and beacons back to the same server hosting the social engineering scheme. This adds an extra layer of protection against replay or study,” researcher said.

Firefox browser users are presented with a similar “Critical Firefox update” webpage with a download dialog box asking “would you like to save this file” that if initiated will drop a firefox-patch.js file. Microsoft Edge and Internet Explorer browsers receive fake Adobe Flash Player update messages such as “your flash player may be out of date” that drops a FlashPlayer.hta file after a click.

“This campaign uses clever social engineering to trick users into installing fake updates that appear as soon as they visited a page containing a malicious ad,” Proofpoint researchers said. “Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads, and generated potential revenue for cybercriminals.”

Researchers said the JavaScript targeting browsers downloads “flv” and “mp4” files. “The flv file contains ‘[704][rc4 key]’. The mp4 file is an intermediate payload, encrypted with the rc4 key from the flv file and then hex-encoded. ‘704’ here is likely the internal campaign ID,” said researchers.

The intermediate payload is itself more JavaScript, Proofpoint said. It includes an encoded Powershell script that embeds shellcode that downloads and launches an “avi” file which is actually the Kovter payload.

“While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” note researchers.