SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (TA18-331A), centered around creating fake versions of both websites and visitors, to funnel advertising revenue to cyber criminals by a group referred to by the U.S. Government as “3ve”.

3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref, and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses. The Boaxxe Malware is primarily located in a data center, while the Kovter Malware runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. Both malwares are spread through email attachments and drive-by downloads.

These common attacks have been proven across healthcare, finance, government, and defense industries. Their widespread availability presents a challenge for network defense and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks.

To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Playbook #2110 Transfer of Kovter malware over HTTP/S:

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #2111 - Email the Kovter malware as a ZIP attachment (Infiltration)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook #2112 - Write Kovter malware to disk

  • Endpoint Controls - Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook #2113 - Email the Kovter malware as a ZIP attachment (Lateral)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook #2114 - Transfer of Boaxxe/Miuref malware over HTTP/S

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #2115 - Email the Boaxxe/Miuref malware as a ZIP attachment (Infiltration)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2116 - Write Boaxxe/Miuref malware to disk

  • Endpoint Controls - Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook # 2117 - Email the Boaxxe/Miuref malware as a ZIP attachment (Lateral)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Additional breach methods added recently include:


Subscribe to blog post