Systems Affected
Microsoft Windows
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as “3ve”—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.
Description
Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as hijacked Border Gateway Patrol IP addresses.
Boaxxe/Miuref Malware
Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.
Kovter Malware
Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.
Impact
For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.
Boaxxe/Miuref Malware
Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:
%UserProfile%\AppData\Local\VirtualStore\lsass.aaa
%UserProfile%\AppData\Local\Temp\<RANDOM>.exe
%UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exe
The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\
Kovter Malware
Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:
%UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat
%UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe
%UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk
%UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.bat
Kovter is known to hide in the registry under:
HKCU\SOFTWARE\<RANDOM>\<RANDOM>
The customized CEF browser is dropped to:
%UserProfile%\AppData\Local\<RANDOM>
The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:
/?ptrackp=\d{5,8}
/feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
/feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]
The following is a YARA rule for detecting Kovter:
rule KovterUnpacked {
meta:
desc = "Encoded strings in unpacked Kovter samples."
strings:
$ = "7562@3B45E129B93"
$ = "@ouhKndCny"
$ = "@ouh@mmEdctffdsr"
$ = "@ouhSGQ"
condition:
all of them
}
Source:
https://www.us-cert.gov/ncas/alerts/TA18-331A