Kafeine and Proofpoint Staff

Editor's Note: For more information on KovCoreG and Kovter, please see our actor profile here.

Overview

Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.

Background

Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce. To improve infection rates and better evade detection by vendors and researchers, threat actors have turned to advanced filtering techniques and social engineering instead of the widespread use of exploits.

Few groups are able to infiltrate the advertising chain on the most visited websites. We have recently looked at several of these groups including SadClowns [1], GooNky [2], VirtualDonna [3] and AdGholas [4]. While we have discussed Kovter in the past [14], we have not had the opportunity to look in depth at an operation by KovCoreG (aka MaxTDS per FoxIT InTELL). This post looks at a recent KovCoreG campaign and describes what we know of the current state of their very active social engineering scheme [5-11].

The Infection Chain

The infection chain in this campaign appeared on PornHub (Alexa US Rank 21 and world rank 38 as of this writing) and abused the Traffic Junky advertising network. It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification.

We studied three cases of the chain on Windows: Chrome, Firefox, and Microsoft Edge/Internet Explorer (Figure 1). We will detail the Chrome variation but all three cases operate in a similar fashion.

Figure 1: The three KovCoreG social engineering templates we observed

Figure 2 shows the full KovCoreG infection chain from PornHub through the Kovter callback to its command and control (C&C).

Figure 2: October 1, 2017 - Full KovCoreG infection chain

The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network.

It appears that malvertising impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds [15]. Note, however, that we do not believe there is a strong connection between the two groups other than code sharing or a common coder with a new customer/partner.

Figure 3: KovCoreG sending decoy call when evading unwanted visitors or systems

Analysis of this first step is ongoing, but it contains several components including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour [12].

Figures 4-6 show the fake update screens that appear during the infection chain, inviting the user to open the downloaded file. The files are different depending on the browser in use.

Figure 4: Chrome browser template - KovCoreG fake “Critical Chrome update” drops a zipped runme.js file after a user clicks

Figure 5: Firefox browser template - KovCoreG fake “Critical Firefox update” drops a firefox-patch.js file after a click

Figure 6: Microsoft Edge/Internet Explorer browser template - KovCoreG fake Adobe Flash Player update (“Your flash player may be out of date”) drops a FlashPlayer.hta file after a click

Figure 7: Chrome fake update zipped runme.js; the victim must explicitly open this file since this chain does not rely on exploits

The runme.js file associated with the fake Chrome update beacons back to the same server hosting the social engineering scheme. This adds an extra layer of protection against replay or study. Analysts will not be able to reach the next step in the chain if their IP has not “checked in” first to the malvertising host. This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment. This is most likely why this component of the chain has not been documented previously.

The JavaScript then downloads the "flv" and the "mp4" files. The "flv" file consists of the digits "704" followed by an rc4 key. The "mp4" file is an intermediate payload, encrypted with the rc4 key from the "flv" file and then hex-encoded. “704” here is likely the internal campaign ID.

The intermediate payload is itself more JavaScript, in this case including an encoded Powershell script that embeds shellcode.This shellcode downloads and launches an "avi" file which is actually the Kovter payload, RC4-encoded with, in that particular pass, the key "hxXRKLVPuRrkRwuaPa" stored in the shellcode.

Kovter is known for, among other things, its unique persistence mechanism. Figures 8-10 show a Registry entry, .bat file shortcut, and the .bat file itself, respectively, that are artifacts of this mechanism, previously described by Microsoft [13].

Figure 8: Kovter persistence mechanism artifact (Registry Entry)

Figure 9: Kovter persistence mechanism artifact (Shortcut to .bat file)

Figure 10: Kovter persistence mechanism artifact (bat file)

Conclusion

The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.

Acknowledgements:

We would like to thank

@Malc0de for his help in this study.

Pornhub,KeyCDN, and Traffic Junky for their swift action upon notification.

References

[1] https://www.proofpoint.com/us/threat-insight/post/video-malvertising-bringing-new-risks-high-profile-sites

[2] https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows

[3] http://malware.dontneedcoffee.com/2015/10/a-doubleclick-https-open-redirect-used.html

[4] https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight

[5] https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update

[6] https://twitter.com/compvla/status/810923447601790976

[7] https://productforums.google.com/forum/#!topic/chrome/mLKWHEAGBSo

[8] https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/

[9] https://twitter.com/JAMESWT_MHT/status/867678039798403072

[10] https://bartblaze.blogspot.co.uk/2017/09/malicious-adclick-networks-common-or.html

[11] http://executemalware.com/?p=432

[12] https://andywalpole.me/blog/140739/using-javascript-create-guid-from-users-browser-information

[13] https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/

[14] https://www.proofpoint.com/us/threat-insight/post/spike-kovter-ad-fraud-malware-clever-macro-trick

[15] https://www.proofpoint.com/us/threat-insight/post/microsoft-patches-CVE-2016-3298-second-information-disclosure-zero-day

Indicators of Compromise (IOCs)

IOC IOC Type Description www.advertizingms[.com|204.155.152.173 domain|IP Suspicious Epom server 2017-10-01 *-6949.kxcdn.com domains Subdomain from a rogue KeyCDN customer 2017-10-01 phohww11888[.org|192.129.215.155 domain|IP KovCoreG soceng host 2017-10-01 cipaewallsandfloors[.net|192.129.162.107 domain|IP KovCoreG soceng host 2017-10-01 b8ad6ce352f502e6c9d2b47db7d2e72eb3c04747cef552b17bb2e5056d6778b9 sha256 T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js) 2017-10-01 4ebc6eb334656403853b51ac42fb932a8ee14c96d3db72bca3ab92fe39657db3 sha256 FlashPlayer.hta 2017-10-01 a9efd709d60e5c3f0b2d51202d7621e35ba983e24aedc9fba54fb7b9aae14f35 sha256 Firefox-patch.js 2017-10-01 0e4763d4f9687cb88f198af8cfce4bfb7148b5b7ca6dc02061b0baff253eea12 sha256 Kovter 2017-10-01 f449dbfba228ad4b70c636b8c46e0bff1db9139d0ec92337883f89fbdaff225e sha256 Kovter 2017-10-01

ET and ETPRO Suricata/Snort Signatures

2823606 || ETPRO CURRENT_EVENTS Possible Evil Redirect Leading to EK Dec 04 2016

2022636 || ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)

2018358 || ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

2810582 || ETPRO TROJAN WIN32/KOVTER.B Checkin 2

Appendix A:

Example of Kovter config :

cp1: 198.106.131.66:80,128.227.37.159:53635,145.88.81.116:80,19.240.49.245:80,53.92.175.216:80,162.162.89.123:80,32.229.45.97:443,4.225.180.41:8080,238.186.215.63:80,38.82.31.87:80,112.140.163.32:80,45.193.7.134:80,175.165.34.220:80,241.224.231.165:80,104.147.195.64:80,240.101.37.16:8080,108.127.72.16:443,171.61.97.177:443,157.97.103.190:443,110.176.29.85:80,38.189.233.232:80,217.98.225.232:49411,77.104.102.93:80,18.153.103.194:80,4.36.195.194:80,49.115.126.134:80,163.67.178.140:443,111.102.161.80:80,191.157.182.37:80,54.147.36.248:49420,29.178.233.125:26103,93.250.105.38:8080,172.216.42.235:443,143.140.150.221:80,52.147.112.46:80,165.192.115.158:80,154.186.98.132:443,69.224.50.174:80,207.90.221.249:80,37.137.209.187:80,29.238.249.141:80,74.51.220.188:80,140.87.139.238:8080,194.52.186.243:8080,192.195.60.158:8080,129.194.69.83:443,171.111.108.165:80,239.46.99.172:41118,3.137.221.221:57410,18.151.63.243:80,2.47.245.189:80,184.3.3.54:443,113.162.84.109:443,67.155.140.238:80,124.241.35.89:80,109.107.102.171:8080,189.173.140.179:80,60.108.109.62:80,28.175.68.111:443,109.177.183.248:80,80.116.145.114:443,95.223.57.196:8080,150.130.56.35:80,162.94.161.16:80,68.43.75.135:443,103.243.74.30:80,110.97.122.223:56537,217.190.103.158:80,252.32.129.31:80,36.125.246.51:80,59.93.100.193:80,181.65.232.162:51668,86.4.165.53:80,126.243.153.28:80,150.60.190.180:80,225.50.135.20:80,194.113.174.132:80,121.57.168.97:80,210.183.222.119:8080,245.224.169.18:22549,63.77.218.243:80,188.37.101.207:8080,40.65.30.171:80,151.227.80.248:443,35.175.158.154:443,174.143.123.87:443,152.150.237.115:443,203.47.174.49:80,88.63.60.3:24597,230.55.202.166:52832,122.68.242.21:80,144.73.35.41:40286,17.156.104.220:8080,22.14.201.51:443,9.110.104.239:80,79.38.11.244:80,132.57.113.153:80,243.42.115.22:80,82.39.237.185:80,184.206.16.130:80,117.138.112.220:80,176.44.160.187:80,31.64.88.144:80,89.110.147.2:43937,190.114.255.205:26337,185.120.14.76:443,142.58.189.80:8080,193.146.45.23:33617,98.102.72.235:443,85.25.147.17:443,83.244.194.235:80,23.238.20.223:25153,148.243.122.57:443,190.95.194.164:443,130.131.2.244:8080,84.70.191.66:80,250.206.210.124:50346,71.7.64.36:8080,239.79.33.171:80,64.234.199.207:80,74.83.197.63:443,133.172.91.132:23896,85.82.64.209:80,135.216.97.170:80,81.248.122.251:80,185.230.47.137:80,121.219.110.183:443,135.60.116.225:443,225.55.17.34:443,50.168.224.146:80,58.227.76.179:80,179.108.196.226:8080,91.208.219.18:37136,98.77.12.68:80,237.123.29.16:80,79.183.99.225:80,156.196.85.80:80,9.187.104.234:443,213.70.128.176:443,25.19.163.36:80,175.18.209.204:80,84.27.216.183:80,84.192.55.163:55289,64.95.202.42:80,159.111.143.80:80,167.99.106.203:443,26.220.139.229:443,1.213.151.251:54905,234.187.238.142:443,46.236.232.87:80,198.139.215.141:41121,58.246.254.243:80,218.127.244.216:80,245.173.244.240:80,

cp1cptm: 30

cptmkey: e086aa137fa19f67d27b39d0eca18610

keypass: 65537:19522997575054907426554839772202893949064667436330012851486601573672578014023529616671665555927323094351879155591436487128820172552469735659517542751735426712295686609130477424093114196023150427769866831977132493325789625582690673761599383991535000872703053188107144540678963887449541977716556272360743912300213554790082676478081366256001689695367664109647204683040472995564506452532881927504362622488073259160546226002887661491089819185150097820082274803050015187526359970203832566435923214708589228221527050531432943671054442357162433286543257082235512170086631319042116775032280820629831168914542642499106397564761

passdebug: 0

debugelg: 1

elgdl_sl: 0

dl_slb_dll: 0

b_dllnonul: http://109.120.179.92/upload2.php

nonuldnet32: http://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe

dnet32dnet64: http://download.microsoft.com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64.exe

dnet64pshellxp: http://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe

pshellxppshellvistax32: http://download.microsoft.com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86.msu

pshellvistax32pshellvistax64: http://download.microsoft.com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64.msu

pshellvistax64pshell2k3x32: http://download.microsoft.com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG.exe

pshell2k3x32pshell2k3x64: http://download.microsoft.com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG.exe

pshell2k3x64cl_fv: 0

cl_fvfl_fu: https://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x.exe

fl_fumainanti: DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:1:DD17Dal:http://109.120.179.92/upload.php:al