TA18-331A: 3ve – Major Online Ad Fraud Operation

["US-CERT" <US-CERT () ncas us-cert gov>]

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA18-331A: 3ve  Major Online Ad Fraud Operation [ https://www.us-cert.gov/ncas/alerts/TA18-331A ] 11/27/2018 12:09 PM 
EST 
Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and 
the Federal Bureau of Investigation (FBI).DHS and FBIare releasing this TA to provide information about a major online 
ad fraud operationreferred to by the U.S. Government as "3ve"involving the control of over 1.7 million uniqueInternet 
Protocol (IP)addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those 
ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber 
criminals.3ve obtained control over 1.7 millionunique IPs by leveraging victim computers infected with Boaxxe/Miuref 
and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses.

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe 
botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit 
websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these 
pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and 
control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide 
their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the 
Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. 
A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the 
hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the 
ads and loads them into the hidden browser.

Impact

"For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean 
that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are 
included here for completeness."

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following 
locations:


  * %UserProfile%\AppData\Local\VirtualStore\lsass.aaa 
  * %UserProfile%\AppData\Local\Temp lt;RANDOM>.exe 
  * %UserProfile%\AppData\Local lt;Random eight-character folder name> lt;original file name>.exe 

The HKEY_CURRENT_USER (HKCU) Run key is set to the path to one of the executables created above.


  * HKCU\Software\Microsoft\Windows\CurrentVersion\Run lt;Above path to executable>\ 

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:


  * %UserProfile\AppData\Local\Temp lt;RANDOM> .exe/.bat 
  * %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 lt;RANDOM> lt;RANDOM 
FILENAME>.exe 
  * %UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.lnk 
  * %UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.bat 

Kovter is known to hide in the registry under:


  * HKCU\SOFTWARE lt;RANDOM> lt;RANDOM> 

The customizedCEF browser is dropped to:


  * %UserProfile%\AppData\Local lt;RANDOM> 

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly 
identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:


  * 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit 
websites. The following are regex rules for these URL patterns:


  * /?ptrackp=\d{5,8} 
  * 
/feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
 
  * /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-] 

The following is a YARA rule for detecting Kovter:

rule KovterUnpacked {
 meta:
 desc = "Encoded strings in unpacked Kovter samples."
 strings:
 $ = "7562@3B45E129B93"
 $ = "@ouhKndCny"
 $ = "@ouh@mmEdctffdsr"
 $ = "@ouhSGQ"
 condition:
 all of them
}

Solution

If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be 
useful to investigators, submit your complaint to www.ic3.gov  [ http://www.ic3.gov ]and use the hashtag 3ve (#3ve) in 
the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or 
Kovter:


  * *Use and maintain antivirus software. *Antivirus software recognizes and protects your computer against most known 
viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it 
is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your 
antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software [ 
http://www.us-cert.gov/ncas/tips/ST04-005 ] for more information.) 
  * *Avoid clicking links in email. *Attackers have become very skilled at making phishing emails look legitimate. 
Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and 
Phishing Attacks [ https://www.us-cert.gov/ncas/tips/ST04-014 ].) 
  * *Change your passwords. *Your original passwords may have been compromised during the infection, so you should 
change them. (See Choosing and Protecting Passwords [ http://www.us-cert.gov/ncas/tips/ST04-002 ].) 
  * *Keep your operating system and application software up-to-date. *Install software patches so that attackers cannot 
take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if 
this option is available. (See Understanding Patches and Software Updates [ http://www.us-cert.gov/ncas/tips/ST04-006 
]for more information.) 
  * *Use anti-malware tools. *Using a legitimate program that identifies and removes malware can help eliminate an 
infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The 
U.S. Government does not endorse or support any particular product or vendor. 
  * ESET Online Scanner [ https://www.eset.com/int/home/online-scanner/ ] 
  * F-Secure [ https://www.f-secure.com/en/web/home_global/f-secure-online-scanner ] 
  * Malwarebytes [ https://www.malwarebytes.com/ ] 
  * McAfee [ http://http://www.mcafee.com/us/downloads/free-tools/index.aspx ] 
  * Microsoft Safety Scanner [ https://www.microsoft.com/security/scanner/en-us/default.aspx ] 
  * Norton Power Eraser [ https://us.norton.com/support/tools/npe.html ] 
  * Trend Micro HouseCall [ http://housecall.trendmicro.com/ ] 

References

  * DOJ Press Release [ 
https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing
 ] 
  * ewhitehats White Paper on Kovter Malware [ 
https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf ] 
  * ewhitehats: THE HUNT FOR 3VE [ https://www.whiteops.com/3ve ] 
  * Google Security Blog: Industry collaboration leads to takedown of the 3ve ad fraud operation  [ 
https://security.googleblog.com/2018/11/industry-collaboration-leads-to.html ] 

Revision History

  * November 27, 2018: Initial version 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]