Kovter Ad Fraud/3ve domains sinkholed, bringing down Kovter ad fraud infrastructure and more

November 27, 2018
Proofpoint Staff

Today, the US Department of Justice announced the indictment of several threat actors involved with Kovter ad fraud malware, among other related cybercrime. Simultaneously, Google and other industry partners announced the sinkholing of domains involved in these activities, effectively disrupting a massive criminal enterprise responsible for millions of dollars in losses. Researchers at Proofpoint were instrumental in providing malware samples and identifying infrastructure used in these activities.

In order to understand the significance of the recent news [1] regarding the actors behind Kovter ad malware and other malware and campaigns, it is useful to recall the scope and scale of their activities of the last several years. Proofpoint researchers and their colleagues have been very active in identifying, analyzing, and tracking the threats from this group, and this blog provides a summary of key findings from our research on the Kovter group.

Tracked by Proofpoint researcher Kafeine since its days as ransomware in 2013, Kovter ad fraud malware has featured in innovative campaigns, from incorporating social engineering tricks to using a then-novel technique to bypass malware sandbox systems. Not limited to email-based distribution, we detected and analyzed a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. Over a period of more than a year, this attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers.

The detailed history of the main threat actor associated with Kovter campaigns (referred to in recent reports as a primary component of “3ve” [6]) – was described in a November, 2017, analysis of KovCoreG. This report documented how a financially motivated actor can adapt, evolve, and innovate over several years, influencing the threat landscape while remaining effective and viable as they fly under the radar of law enforcement, the sites and ad networks they abuse, and end users. KovCoreG also provides a window into the ways in which affiliate models can grow, increasing the footprint of a particular threat while spreading the risk for a single threat actor. KovCoreG was at the forefront of malvertising, exploit kit usage, and – as exploit kits declined – social engineering, while distributing lucrative malware through multiple vectors.

While threat actors have demonstrated time and again their resilience in the face of disruptions resulting from actions by law enforcement, vendors, and security researchers, coordinated efforts like these are important reminders of the practical value of threat research.


[1] https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing

[2] https://malware.dontneedcoffee.com/2013/03/ransomware-kovter-looking-at-your.html

[3] https://twitter.com/kafeine/status/730172140692082688

[4] https://www.proofpoint.com/us/threat-insight/post/spike-kovter-ad-fraud-malware-clever-macro-trick

[5] https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-malware-and-fraud

[6] https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf

[7] https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-kovcoreg-kovter-saga