Operation Eversion: Eight Indicted in Law Enforcement Takedown

An FBI-led law enforcement takedown dubbed Operation Eversion has led to the indictment of eight defendants and the seizure of infrastructure associated with the 3ve ad-fraud scam. Symantec was involved in an industry group which assisted in the investigation by helping identify infrastructure used by the attackers.

3ve specializes in creating fake versions of legitimate websites in order to carry advertisements. It then drives fake traffic to these advertisements using infected computers. These fake visitors generate click-through revenue from the ads for the attackers.

Powered by botnets

3ve leveraged up to 700,000 infected computers and controlled over 1.7 million IP addresses at one point. Much of the fraudulent traffic was facilitated through botnets controlled by the Miuref (Trojan.Miuref) and Kovter (Trojan.Kotver) malware families.

The machines that used the Miuref botnet were located mostly in data centers and were tasked with browsing to counterfeit websites. When the websites were loaded into a browser, requests were made for ads to be placed on those pages. These data center computers used the Miuref botnet as a proxy to request the ads in order to hide the true location of the request.

The Kovter component of the ad-fraud operation used the Kovter botnet to run a hidden instance of the Chrome web browser on infected computers. The browser was used to visit the counterfeit websites. Once loaded, they requested ads to be placed on the website pages.

Indicators of Miuref and Kovter infection

Miuref and Kovter are Trojans spread through malicious email attachments and drive-by downloads from infected websites.

Miuref loads several executable files onto infected computers. They may be found in one or more of the following locations:

• %UserProfile%\AppData\Local\VirtualStore\lsass.aaa
• %UserProfile%\AppData\Local\Temp\[RANDOM NAME].exe
• %UserProfile%\AppData\Local\[RANDOM EIGHT-CHARACTER FOLDER NAME]\[ORIGINAL FILE NAME].exe

The HKEY_CURRENT_USER “Run” key is set to the path of one of the executables listed above:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[PATH TO EXECUTABLE]\

Kovter infections are located mostly in the registry, but the following files may be found on infected computers:

• %UserProfile\AppData\Local\Temp\[RANDOM] .exe/.bat
• %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\[RANDOM]\[RANDOM FILENAME].exe
• %UserProfile%\AppData\Local\[RANDOM]\[RANDOM].lnk
• %UserProfile%\AppData\Local\[RANDOM]\[RANDOM].bat

Kovter is known to hide in the registry under:

• HKEY_CURRENT_USER\Software\[RANDOM]\[RANDOM]

The keys appear like random values and contain scripts. In some cases, a user-agent string can be clearly identified. An additional key containing a link to a Bash script on the hard drive may be placed within the following registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Origins of Kovter

Kovter is an evolution of an older botnet known as Poweliks (Trojan.Poweliks). Like Kovter, Poweliks is a fileless threat that was developed from an earlier file-based variant, known at that time as Wowliks.

Like Kovter, Poweliks was mainly deployed as a click-fraud botnet. Infected computers would silently visit web pages in a hidden browser window and display advertisements in that window.

Protection/Mitigation

Symantec and Norton products protect against these threats as:

• Trojan.Miuref
• Trojan.Miuref.B
• Trojan.Miuref.B!g1
• Trojan.Kotver

If you believe you may be infected with Miuref or Kovter and are not a Symantec customer, you can use our free tool Norton Power Eraser to remove it from your system.

Threat Intelligence

Customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on uses of the Kovter malware and how adversary groups have utilized this fileless threat in malicious advertising attacks.