Pronhub is believed to have been the victim of a malware attack the tricked its users into downloading a virus named Kotver.
The malware altered the Traffic Junky service that provides advertising on the Pronhub website to display its adverts, and then presented users with a browser update request that was not genuine.
The malware was identified on the Pronhub website in October 2017 by a third party who then notified Traffic Junky and Pronhub when then quickly removed the issue.
Once downloaded and installed from the Pronhub website to a Windows based machine, the Kotver application would launch invisible browsing sessions that would slow the computer and click on adverts that have been covertly downloaded to the computer and then automatically clicking them in order to generate advertising revenue for the attackers.
Once successfully installed, the Kotver application will alter the file named regsvr32.exe and will then attempt to connect to a remote address from where it will source the adverts. It may also attempt to download additional software to the computer if it is not already installed such as Microsoft .net runtime, Adobe flash player and Internet explorer.
The program will then make alterations to the following Windows Registry keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\
- HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\
- HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\
- HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\
- HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\
- HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\
Kotver malware will also detect whether the computer has the Powershell installed and, if not, will create a copy of itself within the following path:
- %UserProfile%\Application Data\[RANDOM FOLDER NAME]\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\\
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on enquiries@athenaforensics.co.uk, further details are available on out contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our computer forensics experts are fully aware of the significance and importance of the information that they encounter. Our computer forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.
Athena Forensics
https://athenaforensics.co.uk/service/mobile-phone-forensic-experts/
https://athenaforensics.co.uk/service/computer-forensic-experts/
