|Photo via Pixabay|
Security researchers detected a large-scale malvertising group called KovCoreG that has been tricking unsuspecting users with browser and Flash updates into downloading and installing the Kovter malware. Advertising engine, Traffic Junky, from an adult website, was used by the attackers as the medium to infect victims with Kovter malware, according to security researchers at Proofpoint.
The malware pretends as a browser update on Google Chrome and Mozilla Firefox browsers while acting as a Flash update on Internet Explorer and Microsoft Edge, asking users to download the necessary update. Once Kovter is installed on the machine, it will start to download ad fraud malware, ransomware, infostealer, and more malicious software.
“This attack chain exposed millions of potential victims in the US, UK, Canada, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity,” noted researchers at the Proofpoint website.
Both Traffic Junky and the adult website intervened and shut down the ads, but the malware campaign has moved on to Yahoo’s sites. Malwarebytes’ security researchers detected similar malware activity, wherein malware ads from Taboola network on MSN website redirect users to tech support scams.