PornHub Users Hijacked

A Malvertising Campaign Group called “KovCoreG”  distributing  Kovter ad fraud malware into Millions of Pornhub Users and Put into Highly Risk by Forcing to install Fake browser updates.

Malvertising (A Malicious Advertising) Method is uses of Spreading Malware via online Advertising and involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and web pages.

It is one of more Profitable Activity for Malware Authors and vulnerable machines are increasingly scarce and Even more having advance Functions to Evade the Detection of Anti Malware Softwares.

According to Proofpoint, this attack chain exposed millions of potential PornHub victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers.

Also Read :  Leading research and advisory firms Forrester was hacked

How Does This Infection Chain Targetting the PornHub Users

Initially,  Kovter Malwareting Infect the PornHub by Abusing the  Junky advertising  Network Traffic by users were shown a fake browser update window.

Infection Chain is capable of operation in all 3 Major Browser, that can abuse the users to Click the Malware contains ads.

Chain Initial Point of Infections Staring by Redirecting the Victims into avertizingms[.]com which is a behind of the major content delivery network called KeyCDN.

Malware Contains Ads infection chain call back Kovter to command and control (C&C).

According to  Proofpoint Researchers, the fake ad impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds.
“Kovter” Contain some advanced components and Futures Including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation.

Based one the Different Browser, once User Downloaded and Click the File then fake update screens will appear.

Once Click the Download File its Drops a drops a firefox-patch.js file in all the Browser.

The JavaScript then downloads the “flv” and the “mp4” files. The flv file contains “[704][rc4 key]”. The mp4 file is an intermediate payload, encrypted with the rc4 key from the flv file and then hex-encoded. “704” here is likely the internal campaign ID.

JavaScript Payload Including an encoded Powershell script that embeds shellcode which will help to Launch an “avi” file which is actually the Kovter payload.

In this Malvertising Champaign could be Infected Millions of PornHub Visitors and sitting atop affiliate model that distributes Kovter more widely.

This Infection Chain has been Reported to site operator and ad network was notified of the activity.

The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Proofpoint said.

Leave a Reply