Anyone who visited the website of The Huffington Post over the weekend may have been infected with a Kovter trojan, which is used for advertising click fraud.
Anyone who visited the website of The Huffington Post over the weekend may have been infected with a Kovter trojan, which is used for advertising click fraud.

An AOL advertising network was used over the weekend to distribute malware as part of a continuation of an attack observed in early January, according to Cyphort Labs.

As a result, anyone who visited the websites of The Huffington Post and LA Weekly – among other websites – on Saturday or Sunday stands to be infected with a Kovter trojan used for advertising click fraud, Nick Bilogorskiy, director of security research with Cyphort Labs, told SCMagazine.com in a Tuesday email correspondence.

Over the weekend, Cyphort Labs observed a 400 percent increase in the number of discovered daily infections, Bilogorskiy wrote in a Tuesday post.

Explaining the threat, Bilogorskiy wrote that navigating to The Huffington Post website – or another website hosting an advertisement from the AOL ad network, adtech[dot]de – ultimately resulted in the user being redirected to a landing page serving what appeared to be the Sweet Orange Exploit Kit.

Researchers observed two bugs being exploited: CVE-2013-2551, a use-after-free vulnerability in Microsoft Internet Explorer, and CVE-2014-6332, a Windows OLE Automation Array vulnerability in Microsoft Internet Explorer, Bilogorskiy said.

In the end, the exploit kit downloaded a Kovter trojan used for advertising click fraud, Bilogorskiy said. In early January, he explained that the attack requires no user interaction, and that users are infected if they simply navigate to the affected site and their browsers or plugins are vulnerable.

Bilogorskiy said that Kovter – an advanced malware that detects analysis, virtualization and debugging tools – has ad fraud and ransomware variants, and that Cyphort Labs believed it was ransomware that was being delivered when the attack was first observed in early January. Cyphort Labs analyzed that variant of Kovter in an in-depth follow-up post published in the middle of January.

“It is [for] automatically clicking online advertisements, thus generating revenue for the ad-hosting website,” Bilogorskiy said. “The variant used here is very similar [to the one used in early January], but connects to a different command-and-control backend. It also uses a different key for the communication to the command-and-control server.”

Cyphort Labs notified AOL of the issue and researchers have not observed any adtech[dot]de infections since Monday, Bilogorskiy wrote. However, he added that two other advertising network involved in the campaign were still serving malicious advertisements as of Tuesday: adxpansion[dot]com and ad[dot]directrev[dot]com.

Advertising networks get millions of submissions, and it is difficult to filter out every single malicious advertisement, Bilogorskiy said, explaining attackers will use a variety of techniques to hide from analysts and automated malware detection.

“Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads,” Bilogorskiy said. “They need to scan early and scan often, picking up changes in the advertising chains. Ad networks should have the latest security intelligence to power these monitoring systems.”