Malvertising Group Spreading Kovter Malware via Fake Browser Updates

[LASER_oneXM]

A malvertising group nicknamed KovCoreG by security researchers has been using fake browser and Flash updates to trick users into installing the Kovter malware.

Attackers used malicious ads on PornHub to redirect users to a scam site that was advertising an urgent update. Depending on their browser, users got different messages.

For example, users arriving on this page via Chrome and Firefox were asked to download a browser update, while IE and Edge users were asked to download a Flash update.

The downloadable files were JavaScript (Chrome, Firefox) or HTA (IE, Edge) files that installed Kovter, a multi-purpose malware downloader that can deliver ad fraud malware, ransomware, infostealers, or more.

Campaign focused on UK, US, Canadian, and Australians
Researchers from Proofpoint discovered this malvertising campaign and informed both Pornhub and Traffic Junky — the ad network's whose ads were being abused. Both companies intervened and shut down the ads, but researchers expect the group to pop up somewhere else online.

This particular group fits recent malvertising trends where the malvertisers focus on redirecting users to social engineering (scam, fake download) sites, instead of sending users to exploit kits.

The KovCoreG used ISP and geographical-based filters to separate only the users they wanted to attack. The PornHub campaign targeted US, UK, Canadian, and Australian users.

 

[tim one]

"Critical Chrome/Firefox update"....

Just seeing this, it should be highly suspicious, but not all users have this instinct, unfortunately.

Thanks for sharing this useful info

 

[vemn]

Thanks for Sharing!
Just stay focus when you are surfing xxx sites! Don't click around~~~ XD

 

[Weebarra]

Thanks for this @LASER_oneXM as i would have thought it was genuine, especially the Chrome one

 

[Daljeet]

Criminals is now using https to infect users. It is very difficult to detect because SECURE sign is there in two images.