Pornhub users hijacked by malvertising
Pornhub users hijacked by malvertising

Millions of users could be at risk from a large-scale malvertising attack by the so-called KovCoreG group.

According to researchers at Proofpoint, criminals are using slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack deceives users into installing the Kovtar malware and targets US, UK, Canadian, and Australian users.

Hackers used malvertising on adult video website Pornhub and abused the Traffic Junky advertising network to redirect users to a malicious website. Chrome and Firefox users were shown a fake browser update window, while IE and Edge users got a fake Flash update one.

“It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification,” said researchers in a blog post.

Researchers said that the fake ad impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds.

The hackers used a number of filters and and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour, to target users and evade analysis.

Researchers said that the runme.js file associated with the fake Chrome update beacons back to the same server hosting the social engineering scheme. They added that this added an extra layer of protection against replay or study. 

According to investigations, analysts will not be able to reach the next step in the chain if their IP has not “checked in” first to the malvertising host. “This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment. This is most likely why this component of the chain has not been documented previously.”

The JavaScript then downloads other files, with an mp4 file being an intermediate payload of more JavaScript, including an encoded Powershell script that embeds shellcode.

“This shellcode downloads and launches an "avi" file which is actually the Kovter payload, RC4-encoded with, in that particular pass, the key "hxXRKLVPuRrkRwuaPa" stored in the shellcode,” said researchers.

“Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” the researchers added.

Dr Malcolm Murphy, chief of staff, EMEA, Infoblox, told SC Media UK that threat actors typically have a lot of tools and techniques at their disposal, and social engineering or otherwise misdirecting a user to compromise themselves can be a very effective tactic.  

“This is why it's important to have the right network level protections, including DNS security, in place.  That way, even if a user requests to go to a “bad” or otherwise compromised destination, the network can prevent them from doing themselves harm,” he said.

Javvad Malik, security advocate at AlienVault, told SC Media that by and large, the biggest challenge is that there are generally insufficient controls to place an advert with an ad network. “This makes it a far more enticing avenue than, for example, getting a malicious app approved by an official app store,” he said.

“Although bad ads can be served up from reputable sites, it is less frequent, so practicing safe browsing and sticking to reputable sites remains a good idea. Similarly hardening your endpoints, ensuring it has the latest patches will afford some protection.”