New KOVTER Campaign Spreads via Malicious Advertisements in Pornhub

Image source:

A new variant of KOVTER (Detected by Trend Micro as TROJ_KOVTER.AUSKKM and TROJ_KOVTER.AUSKKL) was seen being spread through a new malvertising campaign perpetrated by a malvertising group called KovCoreG.

The new variant was apparently spread via adult pornography website Pornhub, prompting visitors with a malvertising pop-up from the advertising network Traffic Junky. The pop-up message spoofs an urgent update—a popular tactic that involves fake browser updates or fake Adobe Flash updates to coerce the user into clicking. The “browser update” leads to malicious Javascript files, while the “Flash update” leads to malicious HTML Application (HTA) files. These files would then install KOVTER on the user’s system. KOVTER’s campaign ultimately results in typical click fraud activity, involving pay-per-click online advertising to generate money via fake traffic and clicks.

Earlier reports saw the campaign spreading across Yahoo! websites under similar circumstances, right down to the use of fake browser and Flash updates as hooks for users to download malicious files. Both Pornhub and Traffic Junky have already taken down the KOVTER-related advertisements.

KovCoreG specifically targeted the US, the UK and Australian users via the use of both ISP and geographical-based filters, where potential victims number in the millions. In addition, a second check was created to evade analysis. This check involves determining whether the user’s IP address also passed the ISP and geographical filters. If the check fails, the downloaded JS and HTA files will not execute.

KOVTER has seen many changes, starting off as a police ransomware before eventually evolving into a click fraud malware. Recent campaigns also saw KOVTER being distributed as a fileless malware, which made it more difficult to detect and analyze. Back in August, another KOVTER campaign saw it spread via spam emails. This new campaign sees it turning to malvertising on popular websites to spread—more proof that this trojan will likely see further evolutions as the actors behind it constantly find new methods and avenues to spread it.

Users can protect themselves from malvertising attacks by avoiding suspicious links or pop-ups that appear on their browsers. In this specific campaign, it is highly improbable that a browser or Flash update will be advertised on a pornography website. Even in less-obvious scenarios, users should generally avoid clicking on any links unless they are certain that the link leads to a legitimate or trusted website. In fact, users should regularly update their software via official channels without the need for a special “prompt” or advertisement.

Adblocker plug-ins can also prevent unwanted advertisements from being displayed on user systems. However, this might also prevent legitimate revenue-generating ads from appearing, thus proper configuration of these types of plug-ins are needed.

For defending against malvertising campaigns in general, users can employ security solutions that help prevent these kinds of attacks, such as Trend Micro™ Maximum Security, which protects consumers via a multi-layered defense that delivers highly effective and efficient protection against ever-evolving threats. Trend Micro™ Smart Protection Suites also protect businesses against these types of threats by providing threat protection techniques designed to eliminate security gaps across multiple users and end-points.

Original story at Trend Micro