Kovter Group malvertising campaign exposes millions to potential ad fraud malware infections

Posted October 8, 2017

Overview

Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.

Background

Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce. To improve infection rates and better evade detection by vendors and researchers, threat actors have turned to advanced filtering techniques and social engineering instead of the widespread use of exploits.

You can read their analysis in detail here: https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-ad-fraud-malware

The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.

If you just want the Indicators of Compromise:

IOC	IOC Type	Description
www.advertizingms[.com\|204.155.152.173	domain\|IP	Suspicious Epom server 2017-10-01
*-6949.kxcdn.com	domains	Subdomain from a rogue KeyCDN customer 2017-10-01
phohww11888[.org\|192.129.215.155	domain\|IP	KovCoreG soceng host 2017-10-01
cipaewallsandfloors[.net\|192.129.162.107	domain\|IP	KovCoreG soceng host 2017-10-01
b8ad6ce352f502e6c9d2b47db7d2e72eb3c04747cef552b17bb2e5056d6778b9	sha256	T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js) 2017-10-01
4ebc6eb334656403853b51ac42fb932a8ee14c96d3db72bca3ab92fe39657db3	sha256	FlashPlayer.hta 2017-10-01
a9efd709d60e5c3f0b2d51202d7621e35ba983e24aedc9fba54fb7b9aae14f35	sha256	Firefox-patch.js 2017-10-01
0e4763d4f9687cb88f198af8cfce4bfb7148b5b7ca6dc02061b0baff253eea12	sha256	Kovter 2017-10-01
f449dbfba228ad4b70c636b8c46e0bff1db9139d0ec92337883f89fbdaff225e	sha256	Kovter 2017-10-01