A Malvertising Campaign Group called “KovCoreG” distributing Kovter ad fraud malware into Millions of Pornhub Users and Put into Highly Risk by Forcing to install Fake browser updates.
Malvertising (A Malicious Advertising) Method is uses of Spreading Malware via online Advertising and involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and web pages.
It is one of more Profitable Activity for Malware Authors and vulnerable machines are increasingly scarce and Even more having advance Functions to Evade the Detection of Anti Malware Softwares.
According to Proofpoint, this attack chain exposed millions of potential PornHub victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers.
Also Read : Leading research and advisory firms Forrester was hacked
How Does This Infection Chain Targetting the PornHub Users
Initially, Kovter Malwareting Infect the PornHub by Abusing the Junky advertising Network Traffic by users were shown a fake browser update window.
Infection Chain is capable of operation in all 3 Major Browser, that can abuse the users to Click the Malware contains ads.
Chain Initial Point of Infections Staring by Redirecting the Victims into avertizingms[.]com which is a behind of the major content delivery network called KeyCDN.
Malware Contains Ads infection chain call back Kovter to command and control (C&C).
According to Proofpoint Researchers, the fake ad impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds.
“Kovter” Contain some advanced components and Futures Including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation.
Based one the Different Browser, once User Downloaded and Click the File then fake update screens will appear.
Once Click the Download File its Drops a drops a firefox-patch.js file in all the Browser.
The JavaScript then downloads the “flv” and the “mp4” files. The flv file contains “[704][rc4 key]”. The mp4 file is an intermediate payload, encrypted with the rc4 key from the flv file and then hex-encoded. “704” here is likely the internal campaign ID.
JavaScript Payload Including an encoded Powershell script that embeds shellcode which will help to Launch an “avi” file which is actually the Kovter payload.
In this Malvertising Champaign could be Infected Millions of PornHub Visitors and sitting atop affiliate model that distributes Kovter more widely.
