Major malvertising campaign spreads Kovter Ad Fraud malware

Major malvertising campaign spreads Kovter Ad Fraud malware

Last year was a busy year for malvertising with top rank ad networks such as Google’s DoubleClick caught in large scale attacks, and popular sites unwillingly infecting their visitors because of malicious advertisements.

And 2015 is getting off to a rough start as well.

As Nick Bilogorskiy from Cyphort reported earlier this week, a campaign has been wreaking havoc on sites generating much Internet traffic.

These attacks are the work of the Kovter gang which has been busy hitting major other players (ie. YouTube) during the past year. We tracked this particular campaign as well and have observed several high level domains being victim of malvertising with a combined monthly traffic of 1.5 billion visitors.

People surfing with outdated plugins or browser get infected through a ‘drive-by download’ attack that turns their PCs into bots participating in Ad Fraud.

Affected sites

Domain name Alexa rank* Monthly traffic** 65 527 88 248 156 218 159 138 187 188 454 43 609 46 611 58 736 31 826 35 1537 22 3648 5 3854 12 4462 2 4553 7 4681 13 6515 4 6580 8 12582 2 12667 3 12802 3 17457 2 N/A N/A N/A 3


* Alexa rank based on data. Subdomains’ rank checked against ** Estimated monthly traffic in millions according to data from

Ad networks


Intermediate site

"domain"=>"", "resolv"=>[""], "port"=>"443", "uri"=>"/?serve&id=1347&log=235", "md5"=>"", "header"=>"  ---- Referer: en-usrnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)rnAccept-Encoding: gzip, deflate


Examples of direct referrers (IP address: – Canada)

Exploit Kit (Sweet Orange)

Examples of Exploit Kit landing pages (IP address: – Germany)
Sweet Orange landing page source code

The vulnerability exploited was CVE-2014-6332 and Internet Explorer was the target.

Malwarebytes Anti-Exploit blocks this attack:



The payload, Kovter, gets dropped in the Temp folder:


The payload is VM aware and also looks for debugging and other security tools. One way to know if the sample properly ran is whether it deletes itself after execution or not.

VM or security tools on a real PC:

  • Sample does not delete itself
  • POST request (domain may change) in this format: (
Real machine, no security tools


  • Sample deletes itself
  • POST request (domain may change) in this format:

We analyzed this in a real environment using Wireshark on an external laptop to make this completely transparent to the malware. That allowed us to see what it really is: Ad Fraud (and not ransomware as reported earlier by other sites)


Shortly after, the flood of ad fraud requests begins:


Ad fraud, or also click fraud, account for a large part of the billion dollar ad industry. Ad fraud malware essentially simulates the user visiting pages with adverts as if they were legitimate views.

All these requests are made in the background and game the system while the victim is none the wiser.

Malwarebytes Anti-Malware already detects and blocks this threat:


Malvertising to remain one of the top threats in 2015

As we had said it in our end of year report, malvertising is a huge issue that affects a wide range of people. End users, of course, but also advertisers and publishers who have to fight to defend their legitimacy.

Cyber criminals will likely continue to hijack ad networks with malicious code and pocket the dividends from hundreds of thousands of successful infections.

This particular campaign is likely to migrate to other controllers or evolve into something else since it is now in the public domain and affected parties are cleaning up and securing their systems.

Malwarebytes Labs will continue to monitor the situation and update you on any new developments.

Special thanks to JP Taggart for providing the external recording system.


Jérôme Segura

Principal Threat Researcher