We have already encountered Kovter ad-fraud infection in February of 2017 when we spoke about it as a companion of Locky. At that time, both malware infections were being transmitted via one email letter.
Now, in October of 2017, Kovter became relevant again. A website of PornHub has been determined to be involved in the campaign of malicious ads. Of course, the domain had no knowledge of this dangerous feature. It appears that ads on this adult-oriented website lead to rogue updates for browsers for white some time.
The exact message will depend on the browser you are using. If you are using Mozilla Firefox, then a critical update for it will appear. It is important not to agree to install it as it will most definitely end in a successful infiltration of Kovter ad-fraud malware.
However, if you are using Internet Explorer and Edge, you are one of the few people that will receive different malicious updates. These people will be seeing encouragements to get an update for Adobe Flash Player. Both of these tactics are rather typical for malvertising and we hope that enough people are able to recognize them.
Proofpoint researchers discovered a massive malvertising attack, delivering Kovter malware
A group called KovCoreG is blamed for the distribution of Kovter malware via advertisements, placed in PornHub website. It is mainly focused on compromising computers of people from Australia, United Kingdom, Canada and United States. The scheme of delivering fake updates for browsers is overdo: there are many fraudulent websites that use this strategy. However, nobody can say that some people won’t fall for this scam.
As soon as the fake critical update will be installed, the payload will contact KovCoreG groups via its Command and Control server. Then, a harmful redirect hosted on Avertizingms.com will take place. This allows an installation of a call hosted behind KeyCDN. Proofpoint researchers pointed out that malvertising impressions are limited by geo and ISP filtering. To people who have the appropriate settings, the malware introduces a page, consisting of strongly obfuscated JavaScript.
For users of different browsers, the update will come in different files. For instance, Chrome users will receive runme.js file, while surfers of Firefox will notice firefox-patch.js. Browsers that are insisting that people download a Flash update will receive FlashPlayer.hta.
While we do warn our visitors about this threat, we have hope that most of our users are able to refuse installations from sources such as this. Fake browser and Flash updates are one of the most popular scams. If users have not realized this, they should check whether their computer is not infected with Kovter or another type of malware parasite.
Source: proofpoint.com.