Netskope Advanced Threat Protection recently detected ads being injected into web traffic of multiple users. The source of these ad injections is a Javascript ad injector commonly known as Lnkr. In this blog post, we will provide an overview of Lnkr, a list of all the URLs we have uncovered that are hosting the Lnkr Javascript, and identify the source of the injections.
Lnkr Ad Injector
Lnkr is family of adware that injects ads into websites that a user visits. Lnkr has previously been found in browser plugins, standalone Windows adware applications, rootkits, Android packages, and even directly included on some websites. The most common active distribution vector is browser extensions that inject ads into all of the user’s web traffic.
Discovery
The Lnkr campaign began in early September and continues through the time of this writing. We were first alerted to the campaign when our Outbreak Detection System found ads being injected into websites that do not commonly serve ads, including online banking portals and internal websites.
Disclosures
On 5 December 2019, we notified Amazon of the Lnkr scripts hosted in AWS S3.
Customer Alert
Customers using Netskope’s Next-Gen SWG are protected from the injected ads. Affected customers will see alerts in their Netskope Skope IT console that contain URLs like the following:
http://nextextlink[.]com/metric/?mid=&wid=51824&sid=&tid=7501&rid=LOADED&custom1=[redacted]&custom2=[redacted]&t=1569547496304
The URL contains one of the domains listed at the end of this post and tracking information from the website where the ads are injected.
Netskope users will be able to recognize Lnkr infections, because an infected user will typically have a very high volume of alerts for one of the URLs listed at the end of this post.
Mitigation
Because the most common active distribution vector is Chrome extensions, we recommend removing all Chrome extensions on an affected system and doing a fresh install of Chrome. If the infection persists, the system might be infected with other malware that bundles the adware.
Lnkr Analysis
The Lnkr Javascript is either directly included by a website or injected by the adware, as seen in Figure 1.
Figure 1: Website with Lnkr script
Though analytics.js, lknr5.js and lnkr30_nt.js are related to Lnkr, the main activity is carried out by the ‘analytics.js’ file in the snippet shown in Figure 1.
Upon visiting the webpage, the following actions take place:
- A jsonp request is launched in the format /optout/get?jsonp=__twb_cb_808309138&key=1940453547ec8d17dd&t=1573556950225 as shown in Figure 2.
Figure 2: jsonp request by Lnkr
- Several blank tracking GIFs are loaded with the callback arguments LAUNCHED, LOADED, BEFORE_OPTOUT, FINISHED in the format /metric/?mid=&wid=51807&sid=&tid=6464&rid=<status>&custom1=[redacted]&t=1573556950222 as shown in Figure 3.
Figure 3: Tracking GIFs
- Another jsonp request is launched in the format /optout/set/lat?jsonp=__twb_cb_274636224&key=1940453547ec8d17dd&cv=1573556950&t=1573556950743
- Based on the country in the jsonp response, as shown in Figure 2, the ScriptsToLoad function launches the associated Lnkr urls in the configuration as shown in Figure 4.
Figure 4: Scripts To load by Lnkr
- The ad injection occurs. Popular services like Google or Reddit are allow listed from injection, presumably to stay under the radar and avoid detection.
- Several blank tracking GIFs are again loaded with the callback arguments OPTOUT_RESPONSE_OK, MNTZ_INJECT, MNTZ_LOADED in the format /metric/?mid=cd1d2&wid=51807&sid=&tid=6464&rid=<status>&t=1573556950746 as shown in Figure 5.
Figure 5: Tracking GIFs
The script also contains functionality to redirect the searches to Adware-related websites. An excerpt of the redirect on the typo of the word, ‘booking’ is shown in Figure 7.
Figure 6: Search redirect
The javascript also contains a webpage that its development is supported by optional advertisements as shown in Figure 7.
Figure 7: Optional Advertisement message
Though these settings are present in the script, they were not enabled or displayed in the webpage.
The earliest evidence of Lnkr dates back to 2016 in a Softpedia news article that describes an Imgur browser extension injecting ads using the URLs shown in Figure 8.