Lnkr Ad Injector
Lnkr is family of adware that injects ads into websites that a user visits. Lnkr has previously been found in browser plugins, standalone Windows adware applications, rootkits, Android packages, and even directly included on some websites. The most common active distribution vector is browser extensions that inject ads into all of the user’s web traffic.
The Lnkr campaign began in early September and continues through the time of this writing. We were first alerted to the campaign when our Outbreak Detection System found ads being injected into websites that do not commonly serve ads, including online banking portals and internal websites.
On 5 December 2019, we notified Amazon of the Lnkr scripts hosted in AWS S3.
Customers using Netskope’s Next-Gen SWG are protected from the injected ads. Affected customers will see alerts in their Netskope Skope IT console that contain URLs like the following:
The URL contains one of the domains listed at the end of this post and tracking information from the website where the ads are injected.
Netskope users will be able to recognize Lnkr infections, because an infected user will typically have a very high volume of alerts for one of the URLs listed at the end of this post.
Because the most common active distribution vector is Chrome extensions, we recommend removing all Chrome extensions on an affected system and doing a fresh install of Chrome. If the infection persists, the system might be infected with other malware that bundles the adware.
Figure 1: Website with Lnkr script
Though analytics.js, lknr5.js and lnkr30_nt.js are related to Lnkr, the main activity is carried out by the ‘analytics.js’ file in the snippet shown in Figure 1.
Upon visiting the webpage, the following actions take place:
- A jsonp request is launched in the format /optout/get?jsonp=__twb_cb_808309138&key=1940453547ec8d17dd&t=1573556950225 as shown in Figure 2.
Figure 2: jsonp request by Lnkr
- Several blank tracking GIFs are loaded with the callback arguments LAUNCHED, LOADED, BEFORE_OPTOUT, FINISHED in the format /metric/?mid=&wid=51807&sid=&tid=6464&rid=<status>&custom1=[redacted]&t=1573556950222 as shown in Figure 3.
Figure 3: Tracking GIFs
- Another jsonp request is launched in the format /optout/set/lat?jsonp=__twb_cb_274636224&key=1940453547ec8d17dd&cv=1573556950&t=1573556950743
- Based on the country in the jsonp response, as shown in Figure 2, the ScriptsToLoad function launches the associated Lnkr urls in the configuration as shown in Figure 4.
Figure 4: Scripts To load by Lnkr
- The ad injection occurs. Popular services like Google or Reddit are whitelisted from injection, presumably to stay under the radar and avoid detection.
- Several blank tracking GIFs are again loaded with the callback arguments OPTOUT_RESPONSE_OK, MNTZ_INJECT, MNTZ_LOADED in the format /metric/?mid=cd1d2&wid=51807&sid=&tid=6464&rid=<status>&t=1573556950746 as shown in Figure 5.
Figure 5: Tracking GIFs
The script also contains functionality to redirect the searches to Adware-related websites. An excerpt of the redirect on the typo of the word, ‘booking’ is shown in Figure 7.
Figure 6: Search redirect
Figure 7: Optional Advertisement message
Though these settings are present in the script, they were not enabled or displayed in the webpage.
The earliest evidence of Lnkr dates back to 2016 in a Softpedia news article that describes an Imgur browser extension injecting ads using the URLs shown in Figure 8.
Figure 8: Lnkr Urls related to Imgur uploader
In 2018, Lnkr appeared again, this time in Firefox add-ons that were masquerading as official Firefox updates. A Bugzilla report lists 70 affected add-ons that have been taken down and a MalwareBytes article lists both Chrome and Firefox extensions. BitDefender also reported a rootkit distributing the adware around the same time. Figure 9 shows a screenshot of the website used to trick users into installing the extensions, ublockerext[.]com/ff/.
Figure 9: ublockerext[.]com/ff/ website
At the time of this writing, the website was live but the links to the add-ons hosted there could not be installed, displaying a message that they were corrupt, as shown in Figure 10.
Figure 10: ublockerext[.]com addon installation message
Static analysis of the add-ons identified Lnkr code present in the background.js and content.js files. One of the addons we inspected contained a currently active Lnkr script hosted on Amazon S3 as shown in Figure 11.
Figure 11: Lnkr script hosted on Amazon S3
Though several Lnkr associated browser extensions have been removed from the respective app stores, the associated URLs hosting the scripts remain active. A majority of Lnkr domains were using Let’s Encrypt certificates. Based on our observations we believe this to be an actively ongoing campaign.
The Lnkr campaign we detected is still ongoing. To shield yourself from any possible ad injection, we recommend you block the domains listed at the end of this post. We also recommend you audit the extensions installed in your Chrome browser at chrome://extensions and remove any affected extensions. As this is still an ongoing campaign, we will continue to monitor and report on any new developments. Netskope customers using our Next-Gen SWG are already protected against the injection.
Indicators of compromise
URLS currently serving Lnkr