This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.
Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce. To improve infection rates and better evade detection by vendors and researchers, threat actors have turned to advanced filtering techniques and social engineering instead of the widespread use of exploits.
Few groups are able to infiltrate the advertising chain on the most visited websites. We have recently looked at several of these groups including SadClowns , GooNky , VirtualDonna  and AdGholas . While we have discussed Kovter in the past , we have not had the opportunity to look in depth at an operation by KovCoreG (aka MaxTDS per FoxIT InTELL). This post looks at a recent KovCoreG campaign and describes what we know of the current state of their very active social engineering scheme [5-11].
The Infection Chain
The infection chain in this campaign appeared on PornHub (Alexa US Rank 21 and world rank 38 as of this writing) and abused the Traffic Junky advertising network. It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification.
We studied three cases of the chain on Windows: Chrome, Firefox, and Microsoft Edge/Internet Explorer(Figure 1). We will detail the Chrome variation but all three cases operate in a similar fashion.
Figure 1: The three KovCoreG social engineering templates we observed
Figure 2 shows the full KovCoreG infection chain from PornHub through the Kovter callback to its command and control (C&C).
Figure 2: October 1, 2017 – Full KovCoreG infection chain
The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network.
Figure 3: KovCoreG sending decoy call when evading unwanted visitors or systems
Analysis of this first step is ongoing, but it contains several components including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour .
Figures 4-6 show the fake update screens that appear once a user opens the file downloaded during the infection chain. The files are different depending on the browser in use.
Figure 4: Chrome browser template – KovCoreG fake “Critical Chrome update” drops a zipped runme.js file after a user clicks
Figure 5: Firefox browser template – KovCoreG fake “Critical Firefox update” drops a firefox-patch.js file after a click
Figure 6: Microsoft Edge/Internet Explorer browser template – KovCoreG fake Adobe Flash Player update (“Your flash player may be out of date”) drops a FlashPlayer.hta file after a click
Figure 7: Chrome fake update zipped runme.js; the victim must explicitly open this file since this chain does not rely on exploits
Kovter is known for, among other things, its unique persistence mechanism. Figures 8-10 show a Registry entry, .bat file shortcut, and the .bat file itself, respectively, that are artifacts of this mechanism, previously described by Microsoft .
Figure 8: Kovter persistence mechanism artifact (Registry Entry)
Figure 9: Kovter persistence mechanism artifact (Shortcut to .bat file)
Figure 10: Kovter persistence mechanism artifact (bat file)
The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.