Kovter Group malvertising campaign exposes millions to potential malware and fraud

Share with your network!

Editor's Note: For more information on KovCoreG and Kovter, please see our actor profile here.


Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.


Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce. To improve infection rates and better evade detection by vendors and researchers, threat actors have turned to advanced filtering techniques and social engineering instead of the widespread use of exploits.

Few groups are able to infiltrate the advertising chain on the most visited websites. We have recently looked at several of these groups including SadClowns [1], GooNky [2], VirtualDonna [3] and AdGholas [4]. While we have discussed Kovter in the past [14], we have not had the opportunity to look in depth at an operation by KovCoreG (aka MaxTDS per FoxIT InTELL). This post looks at a recent KovCoreG campaign and describes what we know of the current state of their very active social engineering scheme [5-11].

The Infection Chain

The infection chain in this campaign appeared on PornHub (Alexa US Rank 21 and world rank 38 as of this writing) and abused the Traffic Junky advertising network. It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification.

We studied three cases of the chain on Windows: Chrome, Firefox, and Microsoft Edge/Internet Explorer (Figure 1). We will detail the Chrome variation but all three cases operate in a similar fashion.

Three KovCoreG social engineering templates

Figure 1:  The three KovCoreG social engineering templates we observed

Figure 2 shows the full KovCoreG infection chain from PornHub through the Kovter callback to its command and control (C&C).

Full KovCoreG infection chain

Figure 2: October 1, 2017 - Full KovCoreG infection chain

The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network.

It appears that malvertising impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds [15]. Note, however, that we do not believe there is a strong connection between the two groups other than code sharing or a common coder with a new customer/partner.

KovCoreG sending decoy call when evading unwanted visitors or systems

Figure 3: KovCoreG sending decoy call when evading unwanted visitors or systems

Analysis of this first step is ongoing, but it contains several components including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour [12].

Figures 4-6 show the fake update screens that appear  during the infection chain, inviting the user to open the downloaded file. The files are different depending on the browser in use.

KovCoreG fake 'Critical Chrome update' drops zipped runme.js file after user clicks

Figure 4: Chrome browser template - KovCoreG fake “Critical Chrome update” drops a zipped runme.js file after a user clicks

KovCoreG fake 'Critical Firefox update' drops firefox-patch.js file after click

Figure 5: Firefox browser template - KovCoreG fake “Critical Firefox update” drops a firefox-patch.js file after a click

KovCoreG fake Adobe Flash Player update drops 'FlashPlayer.hta' file after click

Figure 6: Microsoft Edge/Internet Explorer browser template - KovCoreG fake Adobe Flash Player update (“Your flash player may be out of date”) drops a FlashPlayer.hta file after a click

Chrome fake update zipped 'runme.js'

Figure 7: Chrome fake update zipped runme.js; the victim must explicitly open this file since this chain does not rely on exploits

The runme.js file associated with the fake Chrome update beacons back to the same server hosting the social engineering scheme. This adds an extra layer of protection against replay or study. Analysts will not be able to reach the next step in the chain if their IP has not “checked in” first to the malvertising host. This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment. This is most likely why this component of the chain has not been documented previously.

The JavaScript then downloads the "flv" and the "mp4" files. The "flv" file consists of the digits "704" followed by an rc4 key. The "mp4" file is an intermediate payload, encrypted with the rc4 key from the "flv" file and then hex-encoded. “704” here is likely the internal campaign ID.

The intermediate payload is itself more JavaScript, in this case including an encoded Powershell script that embeds shellcode.This shellcode downloads and launches an "avi" file which is actually the Kovter payload, RC4-encoded with, in that particular pass, the key "hxXRKLVPuRrkRwuaPa" stored in the shellcode.

Kovter is known for, among other things, its unique persistence mechanism. Figures 8-10 show a Registry entry, .bat file shortcut, and the .bat file itself, respectively, that are artifacts of this mechanism, previously described by Microsoft [13].

Kovter persistence mechanism artifact '(bat file)'

Figure 8: Kovter persistence mechanism artifact (Registry Entry)

Kovter persistence mechanism artifact '(bat file)'

Figure 9: Kovter persistence mechanism artifact (Shortcut to .bat file)

Kovter persistence mechanism artifact (bat file)

Figure 10: Kovter persistence mechanism artifact (bat file)


The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.


We would like to thank

  • @Malc0de for his help in this study.
  • Pornhub,KeyCDN, and Traffic Junky for their swift action upon notification.


[1] https://www.proofpoint.com/us/threat-insight/post/video-malvertising-bringing-new-risks-high-profile-sites

[2] https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows

[3] http://malware.dontneedcoffee.com/2015/10/a-doubleclick-https-open-redirect-used.html

[4] https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight

[5] https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update

[6] https://twitter.com/compvla/status/810923447601790976

[7] https://productforums.google.com/forum/#!topic/chrome/mLKWHEAGBS

[8] https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/

[9] https://twitter.com/JAMESWT_MHT/status/867678039798403072

[10] https://bartblaze.blogspot.co.uk/2017/09/malicious-adclick-networks-common-or.html

[11] http://executemalware.com/?p=432

[12] https://andywalpole.me/blog/140739/using-javascript-create-guid-from-users-browser-information

[13] https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/

[14] https://www.proofpoint.com/us/threat-insight/post/spike-kovter-ad-fraud-malware-clever-macro-trick

[15] https://www.proofpoint.com/us/threat-insight/post/microsoft-patches-CVE-2016-3298-second-information-disclosure-zero-day

Indicators of Compromise (IOCs)


IOC Type




Suspicious Epom server 2017-10-01



Subdomain from a rogue KeyCDN customer 2017-10-01



KovCoreG soceng host  2017-10-01



KovCoreG soceng host  2017-10-01



            T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js)  2017-10-01













 Kovter 2017-10-01




 Kovter 2017-10-01

ET and ETPRO Suricata/Snort Signatures

2823606 || ETPRO CURRENT_EVENTS Possible Evil Redirect Leading to EK Dec 04 2016

2022636 || ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)

2018358 || ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

2810582 || ETPRO TROJAN WIN32/KOVTER.B Checkin 2

Appendix A:

Example of Kovter config :


cp1cptm: 30

cptmkey: e086aa137fa19f67d27b39d0eca18610

keypass: 65537:19522997575054907426554839772202893949064667436330012851486601573672578014023529616671665555927323094351879155591436487128820172552469735659517542751735426712295686609130477424093114196023150427769866831977132493325789625582690673761599383991535000872703053188107144540678963887449541977716556272360743912300213554790082676478081366256001689695367664109647204683040472995564506452532881927504362622488073259160546226002887661491089819185150097820082274803050015187526359970203832566435923214708589228221527050531432943671054442357162433286543257082235512170086631319042116775032280820629831168914542642499106397564761

passdebug: 0

debugelg: 1

elgdl_sl: 0

dl_slb_dll: 0


nonuldnet32: http://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe

dnet32dnet64: http://download.microsoft.com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64.exe

dnet64pshellxp: http://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe

pshellxppshellvistax32: http://download.microsoft.com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86.msu

pshellvistax32pshellvistax64: http://download.microsoft.com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64.msu

pshellvistax64pshell2k3x32: http://download.microsoft.com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG.exe

pshell2k3x32pshell2k3x64: http://download.microsoft.com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG.exe

pshell2k3x64cl_fv: 0

cl_fvfl_fu: https://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x.exe

fl_fumainanti: DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:1:DD17Dal: