Editor's Note: For more information on KovCoreG and Kovter, please see our actor profile here.
Overview
Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.
Background
Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce. To improve infection rates and better evade detection by vendors and researchers, threat actors have turned to advanced filtering techniques and social engineering instead of the widespread use of exploits.
Few groups are able to infiltrate the advertising chain on the most visited websites. We have recently looked at several of these groups including SadClowns [1], GooNky [2], VirtualDonna [3] and AdGholas [4]. While we have discussed Kovter in the past [14], we have not had the opportunity to look in depth at an operation by KovCoreG (aka MaxTDS per FoxIT InTELL). This post looks at a recent KovCoreG campaign and describes what we know of the current state of their very active social engineering scheme [5-11].
The Infection Chain
The infection chain in this campaign appeared on PornHub (Alexa US Rank 21 and world rank 38 as of this writing) and abused the Traffic Junky advertising network. It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification.
We studied three cases of the chain on Windows: Chrome, Firefox, and Microsoft Edge/Internet Explorer (Figure 1). We will detail the Chrome variation but all three cases operate in a similar fashion.
Figure 1: The three KovCoreG social engineering templates we observed
Figure 2 shows the full KovCoreG infection chain from PornHub through the Kovter callback to its command and control (C&C).
Figure 2: October 1, 2017 - Full KovCoreG infection chain
The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network.
It appears that malvertising impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds [15]. Note, however, that we do not believe there is a strong connection between the two groups other than code sharing or a common coder with a new customer/partner.
Figure 3: KovCoreG sending decoy call when evading unwanted visitors or systems
Analysis of this first step is ongoing, but it contains several components including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour [12].
Figures 4-6 show the fake update screens that appear during the infection chain, inviting the user to open the downloaded file. The files are different depending on the browser in use.
Figure 4: Chrome browser template - KovCoreG fake “Critical Chrome update” drops a zipped runme.js file after a user clicks
Figure 5: Firefox browser template - KovCoreG fake “Critical Firefox update” drops a firefox-patch.js file after a click
Figure 6: Microsoft Edge/Internet Explorer browser template - KovCoreG fake Adobe Flash Player update (“Your flash player may be out of date”) drops a FlashPlayer.hta file after a click
Figure 7: Chrome fake update zipped runme.js; the victim must explicitly open this file since this chain does not rely on exploits
The runme.js file associated with the fake Chrome update beacons back to the same server hosting the social engineering scheme. This adds an extra layer of protection against replay or study. Analysts will not be able to reach the next step in the chain if their IP has not “checked in” first to the malvertising host. This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment. This is most likely why this component of the chain has not been documented previously.
The JavaScript then downloads the "flv" and the "mp4" files. The "flv" file consists of the digits "704" followed by an rc4 key. The "mp4" file is an intermediate payload, encrypted with the rc4 key from the "flv" file and then hex-encoded. “704” here is likely the internal campaign ID.
The intermediate payload is itself more JavaScript, in this case including an encoded Powershell script that embeds shellcode.This shellcode downloads and launches an "avi" file which is actually the Kovter payload, RC4-encoded with, in that particular pass, the key "hxXRKLVPuRrkRwuaPa" stored in the shellcode.
Kovter is known for, among other things, its unique persistence mechanism. Figures 8-10 show a Registry entry, .bat file shortcut, and the .bat file itself, respectively, that are artifacts of this mechanism, previously described by Microsoft [13].
Figure 8: Kovter persistence mechanism artifact (Registry Entry)
Figure 9: Kovter persistence mechanism artifact (Shortcut to .bat file)
Figure 10: Kovter persistence mechanism artifact (bat file)
Conclusion
The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.
Acknowledgements:
We would like to thank
- @Malc0de for his help in this study.
- Pornhub,KeyCDN, and Traffic Junky for their swift action upon notification.
References
[2] https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows
[3] http://malware.dontneedcoffee.com/2015/10/a-doubleclick-https-open-redirect-used.html
[5] https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update
[6] https://twitter.com/compvla/status/810923447601790976
[7] https://productforums.google.com/forum/#!topic/chrome/mLKWHEAGBSo
[8] https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/
[9] https://twitter.com/JAMESWT_MHT/status/867678039798403072
[10] https://bartblaze.blogspot.co.uk/2017/09/malicious-adclick-networks-common-or.html
[11] http://executemalware.com/?p=432
[12] https://andywalpole.me/blog/140739/using-javascript-create-guid-from-users-browser-information
[14] https://www.proofpoint.com/us/threat-insight/post/spike-kovter-ad-fraud-malware-clever-macro-trick
Indicators of Compromise (IOCs)
|
IOC |
IOC Type |
Description |
|
www.advertizingms[.com|204.155.152.173 |
domain|IP |
Suspicious Epom server 2017-10-01 |
|
*-6949.kxcdn.com |
domains |
Subdomain from a rogue KeyCDN customer 2017-10-01 |
|
phohww11888[.org|192.129.215.155 |
domain|IP |
KovCoreG soceng host 2017-10-01 |
|
cipaewallsandfloors[.net|192.129.162.107 |
domain|IP |
KovCoreG soceng host 2017-10-01 |
|
b8ad6ce352f502e6c9d2b47db7d2e72eb3c04747cef552b17bb2e5056d6778b9 |
sha256 |
T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js) 2017-10-01
|
|
4ebc6eb334656403853b51ac42fb932a8ee14c96d3db72bca3ab92fe39657db3 |
sha256 |
FlashPlayer.hta 2017-10-01 |
|
a9efd709d60e5c3f0b2d51202d7621e35ba983e24aedc9fba54fb7b9aae14f35 |
sha256 |
Firefox-patch.js 2017-10-01
|
|
0e4763d4f9687cb88f198af8cfce4bfb7148b5b7ca6dc02061b0baff253eea12 |
sha256 |
Kovter 2017-10-01
|
|
f449dbfba228ad4b70c636b8c46e0bff1db9139d0ec92337883f89fbdaff225e |
sha256 |
Kovter 2017-10-01 |
ET and ETPRO Suricata/Snort Signatures
2823606 || ETPRO CURRENT_EVENTS Possible Evil Redirect Leading to EK Dec 04 2016
2022636 || ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
2018358 || ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2810582 || ETPRO TROJAN WIN32/KOVTER.B Checkin 2
Appendix A:
Example of Kovter config :
cp1: 198.106.131.66:80,128.227.37.159:53635,145.88.81.116:80,19.240.49.245:80,53.92.175.216:80,162.162.89.123:80,32.229.45.97:443,4.225.180.41:8080,238.186.215.63:80,38.82.31.87:80,112.140.163.32:80,45.193.7.134:80,175.165.34.220:80,241.224.231.165:80,104.147.195.64:80,240.101.37.16:8080,108.127.72.16:443,171.61.97.177:443,157.97.103.190:443,110.176.29.85:80,38.189.233.232:80,217.98.225.232:49411,77.104.102.93:80,18.153.103.194:80,4.36.195.194:80,49.115.126.134:80,163.67.178.140:443,111.102.161.80:80,191.157.182.37:80,54.147.36.248:49420,29.178.233.125:26103,93.250.105.38:8080,172.216.42.235:443,143.140.150.221:80,52.147.112.46:80,165.192.115.158:80,154.186.98.132:443,69.224.50.174:80,207.90.221.249:80,37.137.209.187:80,29.238.249.141:80,74.51.220.188:80,140.87.139.238:8080,194.52.186.243:8080,192.195.60.158:8080,129.194.69.83:443,171.111.108.165:80,239.46.99.172:41118,3.137.221.221:57410,18.151.63.243:80,2.47.245.189:80,184.3.3.54:443,113.162.84.109:443,67.155.140.238:80,124.241.35.89:80,109.107.102.171:8080,189.173.140.179:80,60.108.109.62:80,28.175.68.111:443,109.177.183.248:80,80.116.145.114:443,95.223.57.196:8080,150.130.56.35:80,162.94.161.16:80,68.43.75.135:443,103.243.74.30:80,110.97.122.223:56537,217.190.103.158:80,252.32.129.31:80,36.125.246.51:80,59.93.100.193:80,181.65.232.162:51668,86.4.165.53:80,126.243.153.28:80,150.60.190.180:80,225.50.135.20:80,194.113.174.132:80,121.57.168.97:80,210.183.222.119:8080,245.224.169.18:22549,63.77.218.243:80,188.37.101.207:8080,40.65.30.171:80,151.227.80.248:443,35.175.158.154:443,174.143.123.87:443,152.150.237.115:443,203.47.174.49:80,88.63.60.3:24597,230.55.202.166:52832,122.68.242.21:80,144.73.35.41:40286,17.156.104.220:8080,22.14.201.51:443,9.110.104.239:80,79.38.11.244:80,132.57.113.153:80,243.42.115.22:80,82.39.237.185:80,184.206.16.130:80,117.138.112.220:80,176.44.160.187:80,31.64.88.144:80,89.110.147.2:43937,190.114.255.205:26337,185.120.14.76:443,142.58.189.80:8080,193.146.45.23:33617,98.102.72.235:443,85.25.147.17:443,83.244.194.235:80,23.238.20.223:25153,148.243.122.57:443,190.95.194.164:443,130.131.2.244:8080,84.70.191.66:80,250.206.210.124:50346,71.7.64.36:8080,239.79.33.171:80,64.234.199.207:80,74.83.197.63:443,133.172.91.132:23896,85.82.64.209:80,135.216.97.170:80,81.248.122.251:80,185.230.47.137:80,121.219.110.183:443,135.60.116.225:443,225.55.17.34:443,50.168.224.146:80,58.227.76.179:80,179.108.196.226:8080,91.208.219.18:37136,98.77.12.68:80,237.123.29.16:80,79.183.99.225:80,156.196.85.80:80,9.187.104.234:443,213.70.128.176:443,25.19.163.36:80,175.18.209.204:80,84.27.216.183:80,84.192.55.163:55289,64.95.202.42:80,159.111.143.80:80,167.99.106.203:443,26.220.139.229:443,1.213.151.251:54905,234.187.238.142:443,46.236.232.87:80,198.139.215.141:41121,58.246.254.243:80,218.127.244.216:80,245.173.244.240:80,
cp1cptm: 30
cptmkey: e086aa137fa19f67d27b39d0eca18610
keypass: 65537:19522997575054907426554839772202893949064667436330012851486601573672578014023529616671665555927323094351879155591436487128820172552469735659517542751735426712295686609130477424093114196023150427769866831977132493325789625582690673761599383991535000872703053188107144540678963887449541977716556272360743912300213554790082676478081366256001689695367664109647204683040472995564506452532881927504362622488073259160546226002887661491089819185150097820082274803050015187526359970203832566435923214708589228221527050531432943671054442357162433286543257082235512170086631319042116775032280820629831168914542642499106397564761
passdebug: 0
debugelg: 1
elgdl_sl: 0
dl_slb_dll: 0
b_dllnonul: http://109.120.179.92/upload2.php
nonuldnet32: http://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
dnet32dnet64: http://download.microsoft.com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64.exe
dnet64pshellxp: http://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
pshellxppshellvistax32: http://download.microsoft.com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86.msu
pshellvistax32pshellvistax64: http://download.microsoft.com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64.msu
pshellvistax64pshell2k3x32: http://download.microsoft.com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG.exe
pshell2k3x32pshell2k3x64: http://download.microsoft.com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG.exe
pshell2k3x64cl_fv: 0
cl_fvfl_fu: https://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x.exe
fl_fumainanti: DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:1:DD17Dal:http://109.120.179.92/upload.php:al