Netskope Advanced Threat Protection recently detected ads being injected into web traffic of multiple users. The source of these ad injections is a Javascript ad injector commonly known as Lnkr. In this blog post, we will provide an overview of Lnkr, a list of all the URLs we have uncovered that are hosting the Lnkr Javascript, and identify the source of the injections.
Lnkr Ad Injector
Lnkr is family of adware that injects ads into websites that a user visits. Lnkr has previously been found in browser plugins, standalone Windows adware applications, rootkits, Android packages, and even directly included on some websites. The most common active distribution vector is browser extensions that inject ads into all of the user’s web traffic.
Discovery
The Lnkr campaign began in early September and continues through the time of this writing. We were first alerted to the campaign when our Outbreak Detection System found ads being injected into websites that do not commonly serve ads, including online banking portals and internal websites.
Disclosures
On 5 December 2019, we notified Amazon of the Lnkr scripts hosted in AWS S3.
Customer Alert
Customers using Netskope’s Next-Gen SWG are protected from the injected ads. Affected customers will see alerts in their Netskope Skope IT console that contain URLs like the following:
http://nextextlink[.]com/metric/?mid=&wid=51824&sid=&tid=7501&rid=LOADED&custom1=[redacted]&custom2=[redacted]&t=1569547496304
The URL contains one of the domains listed at the end of this post and tracking information from the website where the ads are injected.
Netskope users will be able to recognize Lnkr infections, because an infected user will typically have a very high volume of alerts for one of the URLs listed at the end of this post.
Mitigation
Because the most common active distribution vector is Chrome extensions, we recommend removing all Chrome extensions on an affected system and doing a fresh install of Chrome. If the infection persists, the system might be infected with other malware that bundles the adware.
Lnkr Analysis
The Lnkr Javascript is either directly included by a website or injected by the adware, as seen in Figure 1.
Figure 1: Website with Lnkr script
Though analytics.js, lknr5.js and lnkr30_nt.js are related to Lnkr, the main activity is carried out by the ‘analytics.js’ file in the snippet shown in Figure 1.
Upon visiting the webpage, the following actions take place:
- A jsonp request is launched in the format /optout/get?jsonp=__twb_cb_808309138&key=1940453547ec8d17dd&t=1573556950225 as shown in Figure 2.
Figure 2: jsonp request by Lnkr
- Several blank tracking GIFs are loaded with the callback arguments LAUNCHED, LOADED, BEFORE_OPTOUT, FINISHED in the format /metric/?mid=&wid=51807&sid=&tid=6464&rid=<status>&custom1=[redacted]&t=1573556950222 as shown in Figure 3.
Figure 3: Tracking GIFs
- Another jsonp request is launched in the format /optout/set/lat?jsonp=__twb_cb_274636224&key=1940453547ec8d17dd&cv=1573556950&t=1573556950743
- Based on the country in the jsonp response, as shown in Figure 2, the ScriptsToLoad function launches the associated Lnkr urls in the configuration as shown in Figure 4.
Figure 4: Scripts To load by Lnkr
- The ad injection occurs. Popular services like Google or Reddit are allow listed from injection, presumably to stay under the radar and avoid detection.
- Several blank tracking GIFs are again loaded with the callback arguments OPTOUT_RESPONSE_OK, MNTZ_INJECT, MNTZ_LOADED in the format /metric/?mid=cd1d2&wid=51807&sid=&tid=6464&rid=<status>&t=1573556950746 as shown in Figure 5.
Figure 5: Tracking GIFs
The script also contains functionality to redirect the searches to Adware-related websites. An excerpt of the redirect on the typo of the word, ‘booking’ is shown in Figure 7.
Figure 6: Search redirect
The javascript also contains a webpage that its development is supported by optional advertisements as shown in Figure 7.
Figure 7: Optional Advertisement message
Though these settings are present in the script, they were not enabled or displayed in the webpage.
The earliest evidence of Lnkr dates back to 2016 in a Softpedia news article that describes an Imgur browser extension injecting ads using the URLs shown in Figure 8.
Figure 8: Lnkr Urls related to Imgur uploader
In 2018, Lnkr appeared again, this time in Firefox add-ons that were masquerading as official Firefox updates. A Bugzilla report lists 70 affected add-ons that have been taken down and a MalwareBytes article lists both Chrome and Firefox extensions. BitDefender also reported a rootkit distributing the adware around the same time. Figure 9 shows a screenshot of the website used to trick users into installing the extensions, ublockerext[.]com/ff/.
Figure 9: ublockerext[.]com/ff/ website
At the time of this writing, the website was live but the links to the add-ons hosted there could not be installed, displaying a message that they were corrupt, as shown in Figure 10.
Figure 10: ublockerext[.]com addon installation message
Static analysis of the add-ons identified Lnkr code present in the background.js and content.js files. One of the addons we inspected contained a currently active Lnkr script hosted on Amazon S3 as shown in Figure 11.
Figure 11: Lnkr script hosted on Amazon S3
Though several Lnkr associated browser extensions have been removed from the respective app stores, the associated URLs hosting the scripts remain active. A majority of Lnkr domains were using Let’s Encrypt certificates. Based on our observations we believe this to be an actively ongoing campaign.
Conclusion
The Lnkr campaign we detected is still ongoing. To shield yourself from any possible ad injection, we recommend you block the domains listed at the end of this post. We also recommend you audit the extensions installed in your Chrome browser at chrome://extensions and remove any affected extensions. As this is still an ongoing campaign, we will continue to monitor and report on any new developments. Netskope customers using our Next-Gen SWG are already protected against the injection.
Indicators of compromise
URLS currently serving Lnkr
1018433480[.]rsc[.]cdn77[.]org
1480876790[.]rsc[.]cdn77[.]org
appmakedev[.]xyz
appslinker[.]net
blickkeily[.]com
blinkjork[.]com
browlinkdev[.]xyz
captiontxt[.]com
cilkonlay[.]com
clonyjohn[.]com
closemike[.]com
colextidapp[.]com
countsource[.]cool
cozytech[.]biz
dataprovider[.]website
datapro[.]website
devappstor[.]com
dimagesrc[.]com
dismagic[.]com
domclickext[.]xyz
dowlextff[.]com
evenffext[.]com
extnotecat[.]com
flexylincks[.]com
goldapps[.]org
groproext[.]com
higedev[.]cool
jonyclose[.]com
jonysource[.]com
jsfuel[.]com
killssource[.]com
larickway[.]com
leaderdigital[.]org
lifebounce[.]net
linkangood[.]com
lonelyfix[.]com
longsrc[.]com
loudsjack[.]com
lowffdompro[.]com
magictraps[.]com
masyclick[.]com
mikkymax[.]com
miniklixk[.]org
minisrclink[.]cool
mirextpro[.]com
netstats[.]space
nextextlink[.]com
oilcloze[.]com
onlinekey[.]biz
pagevalidation[.]space
pingclock[.]net
plankjock[.]com
polinaryapp[.]com
prilapptime[.]com
programdiag[.]com
promclickapp[.]biz
protesidenext[.]com
proudflex[.]org
proxdevcool[.]com
rasenalong[.]com
renetteapp[.]com
serenityart[.]biz
shortyclubs[.]com
skillapp[.]net
slickfluide[.]com
sourcebig[.]cool
srctestlink[.]com
statcounter[.]biz
sysfileff[.]com
vibeclimate[.]com
www[.]die-rheinische-affaire[.]de
thrillingos[.]herokuapp[.]com/mozilla/best-ytb-down/content/analytics
s3[.]amazonaws[.]com/cashe-js
s3[.]amazonaws[.]com/js-cache
s3[.]amazonaws[.]com/js-static
s3[.]amazonaws[.]com/jscache