Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation [...]
Overview
Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.
Background
Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce. To improve infection rates and better evade detection by vendors and researchers, threat actors have turned to advanced filtering techniques and social engineering instead of the widespread use of exploits.
You can read their analysis in detail here: https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-ad-fraud-malware
The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.
If you just want the Indicators of Compromise:
| IOC | IOC Type | Description |
| www.advertizingms[.com|204.155.152.173 | domain|IP | Suspicious Epom server 2017-10-01 |
| *-6949.kxcdn.com | domains | Subdomain from a rogue KeyCDN customer 2017-10-01 |
| phohww11888[.org|192.129.215.155 | domain|IP | KovCoreG soceng host 2017-10-01 |
| cipaewallsandfloors[.net|192.129.162.107 | domain|IP | KovCoreG soceng host 2017-10-01 |
| b8ad6ce352f502e6c9d2b47db7d2e72eb3c04747cef552b17bb2e5056d6778b9 | sha256 | T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js) 2017-10-01
|
| 4ebc6eb334656403853b51ac42fb932a8ee14c96d3db72bca3ab92fe39657db3 | sha256 | FlashPlayer.hta
2017-10-01 |
| a9efd709d60e5c3f0b2d51202d7621e35ba983e24aedc9fba54fb7b9aae14f35 | sha256 | Firefox-patch.js
2017-10-01
|
| 0e4763d4f9687cb88f198af8cfce4bfb7148b5b7ca6dc02061b0baff253eea12 | sha256 | Kovter 2017-10-01
|
| f449dbfba228ad4b70c636b8c46e0bff1db9139d0ec92337883f89fbdaff225e | sha256 | Kovter 2017-10-01 |
ET and ETPRO Suricata/Snort Signatures
2823606 || ETPRO CURRENT_EVENTS Possible Evil Redirect Leading to EK Dec 04 2016
2022636 || ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
2018358 || ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2810582 || ETPRO TROJAN WIN32/KOVTER.B Checkin 2
References
https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows
http://malware.dontneedcoffee.com/2015/10/a-doubleclick-https-open-redirect-used.html
https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update
https://twitter.com/compvla/status/810923447601790976
https://twitter.com/cbeatonssp/status/864949702638358529/photo/1
https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/
https://twitter.com/JAMESWT_MHT/status/867678039798403072
https://bartblaze.blogspot.co.uk/2017/09/malicious-adclick-networks-common-or.html
http://executemalware.com/?p=432
https://andywalpole.me/blog/140739/using-javascript-create-guid-from-users-browser-information
https://www.proofpoint.com/us/threat-insight/post/spike-kovter-ad-fraud-malware-clever-macro-trick
Header image from: Image from https://twitter.com/malekal_morte
When WannaCry came out last month, many were taken by surprise of the exploit of NSA tools for SMB. Especially because a patch was launched by Microsoft for the same ...
This is a live tracker depicting Emotet and Trickbot beaconing as we track it in real time using our sensors around the world.