14 DAY TRIAL // A malvertising campaign spread on popular websites, Huffington Post among them, has been observed late this weekend; the end goal is to deliver Kovter Trojan used for ad-fraud purposes.
The current campaign seems to be the continuation of a previous one, detected in early January, which also affected websites. In both cases, the advertising network distributing the malicious files is Adtech.de, owned by AOL.
Two other advertising companies have also been serving malicious banners, one being adxpansion.com and the other ad.directrev.com.
Sweet Orange may deliver Kovter
Over the weekend, security researchers at Cyphort detected a significant increase in the number of daily infected domains, the list including laweekly.com, indiedb.com, dramago.com, animetoon.tv, spoilertv.com, and sbcodez.com.
A target computer is not compromised directly with Kovter Trojan, as the connection goes through a series of redirects, including an SSL one, landing in the end on a page hosting an exploit kit, which is believed to be Sweet Orange.
The vulnerabilities leveraged by the malicious tool to funnel in Kovter are a use-after-free (CVE-2013-2551) in Internet Explorer and a Windows OLE Automation Array glitch (CVE-2014-6332).
Kovter is designed to impersonate user clicks on ads displayed on websites controlled by the attackers. In a pay-per-click scheme, the website owner gets paid by the ad publisher each time the banner is clicked.
According to Cyphort, the variant of Kovter delivered in this operation is slightly different from the one discovered in the previous malvertising campaign. The researchers observed different command and control servers on the current one.
Malicious redirects on domains in Poland
Following a redirection chain from Huffington Post’s website, Nick Bilogorskiy from Cyphort finally reached a domain from Poland, where the exploit kit would be hosted. He says that in the final stage of the redirect, the victim can land on different domains.
A similarity with the previous campaign is the mix of HTTP and HTTPS redirects, which is designed to hide the server machines employed in the attack. “This time the HTTPS redirector was hosted on Microsoft Azure,” the researcher says.
Cyphort alerted AOL of the bad ads and the malicious content was removed from the network. However, Bilogorskiy says that he could not reach a representative of the other two ad companies, which means that the malvertising operation may still be active on the websites they supply ads to.