Major Online Ad Fraud Operation

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:


11/27/2018 12:09 PM EST


release date: November 27, 2018

Systems Affected

Microsoft Windows


This joint Technical Alert (TA) is the result of analytic efforts between
the Department of Homeland Security (DHS) and the Federal Bureau of
Investigation (FBI). DHS and FBI are releasing this TA to provide
information about a major online ad fraud operation—referred to by the U.S.
Government as “3ve”—involving the control of over 1.7 million
unique Internet Protocol (IP) addresses globally, when sampled over a
10-day window.


Online advertisers desire premium websites on which to publish their ads and
large numbers of visitors to view those ads. 3ve created fake versions of both
(websites and visitors), and funneled the advertising revenue to cyber
criminals. 3ve obtained control over 1.7 million unique IPs by
leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as
well as Border Gateway Patrol-hijacked IP addresses. 


Boaxxe malware is spread through email attachments and drive-by downloads.
The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a
data center. Hundreds of machines in this data center are browsing to
counterfeit websites. When these counterfeit webpages are loaded into a
browser, requests are made for ads to be placed on these pages. The machines in
the data center use the Boaxxe botnet as a proxy to make requests for these
ads. A command and control (C2) server sends instructions to the infected
botnet computers to make the ad requests in an effort to hide their true data
center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by
downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden
Chromium Embedded Framework (CEF) browser on the infected machine that the user
cannot see. A C2 server tells the infected machine to visit counterfeit
websites. When the counterfeit webpage is loaded in the hidden browser,
requests are made for ads to be placed on these counterfeit pages. The infected
machine receives the ads and loads them into the hidden browser.


For the indicators of
compromise (IOCs) below, keep in mind that any one indicator on its own may not
necessarily mean that a machine is infected. Some IOCs may be present for legitimate
applications and network traffic as well, but are included here for


Boaxxe malware leaves several executables on the infected machine. They may
be found in one or more of the following locations:

  • %UserProfile%AppDataLocalTemp lt;RANDOM>.exe
  • %UserProfile%AppDataLocal lt;Random eight-character folder
    name> lt;original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the
executables created above.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun lt;Above path
    to executable>

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may
be found on the infected machine:

  • %UserProfileAppDataLocalTemp lt;RANDOM> .exe/.bat
  • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet
    FilesContent.IE5 lt;RANDOM> lt;RANDOM FILENAME>.exe
  • %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.lnk
  • %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.bat

Kovter is known to hide in the registry under:


The customized CEF browser is dropped to:

  • %UserProfile%AppDataLocal lt;RANDOM>

The keys will look like random values and contain scripts. In some values, a
User-Agent string can be clearly identified. An additional key containing a
link to a batch script on the hard drive may be placed within registry key:

  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

There are several patterns in the network requests that are made by Kovter
malware when visiting the counterfeit websites. The following are regex rules
for these URL patterns:

  • /?ptrackp=d{5,8}
  • /feedrsd/click?feed_id=d{1,5}&sub_id=d{1,5}&cid=[a-f0-9-]*&spoof_domain=[w.d-_]*&land_ip=d{1,3}.d{1,3}.d{1,3}.d{1,3}
  • /feedrsd/vast_track?a=impression&feed_id=d{5}&sub_id=d{1,5}&sub2_id=d{1,5}&cid=[a-fd-]

The following is a YARA rule for detecting Kovter:

KovterUnpacked {

    desc = "Encoded strings in unpacked Kovter

    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
    all of them


If you believe you may be a victim of 3ve and its associated malware or
hijacked IPs, and have information that may be useful to investigators, submit
your complaint to and use the
hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware
infections associated with Boaxxe/Miuref or Kovter:

  • Use
    and maintain antivirus software.
    Antivirus software recognizes and protects your
    computer against most known viruses. Security companies are continuously
    updating their software to counter these advanced threats. Therefore, it
    is important to keep your antivirus software up-to-date. If you suspect
    you may be a victim of malware, update your antivirus software definitions
    and run a full-system scan. (See
    Understanding Anti-Virus
    for more information.)
  • Avoid
    clicking links in email.
    Attackers have become very skilled at making phishing
    emails look legitimate. Users should ensure the link is legitimate by
    typing the link into a new browser. (See
    Avoiding Social
    Engineering and Phishing Attacks
  • Change
    your passwords.
    original passwords may have been compromised during the infection, so you
    should change them. (See
    Choosing and Protecting
  • Keep
    your operating system and application software up-to-date.
    Install software patches
    so that attackers cannot take advantage of known problems or
    vulnerabilities. You should enable automatic updates of the operating
    system if this option is available. (See
    Understanding Patches and
    Software Updates 
    for more information.)
  • Use
    anti-malware tools.
    Using a legitimate program that identifies and removes
    malware can help eliminate an infection. Users can consider employing a
    remediation tool. A non-exhaustive list of examples is provided below. The
    U.S. Government does not endorse or support any particular product or