Kovter becomes almost file-less, creates a new file type, and gets some new certificates


Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter’s persistence method and some updates on their latest malvertising campaigns.

New persistence method

Since June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software.

Upon installation, Kovter will generate and register a new random file extension (for example, .bbf5590fd) and define a new shell open verb to handle this specific extension by setting the following registry keys:

Registry setup for Kovter

Figure 1: Registry setup for Kovter

With this setup, every time a file with the custom file extension (.bbf5590fb) is opened, the malicious Kovter command contained in the registry key is executed via the shell extension open verb.

Therefore, all Kovter needs to do to run on infected machines is open a file with their custom file extension .bbf5590fb – causing the malicious shell open command to run. This in turn runs a command using mshta.

Mshta is a clean tool that is used by Kovter to execute malicious JavaScript. This JavaScript then loads the main payload from another registry location, HKCU\software\67f1a6b24c\d0db239. To trigger this shell open command on a regular basis, Kovter drops several garbage files with its custom file extension in different locations, for example:

The contents of these files are not important, since the malicious code is contained within the shell open verb registry key. The last step in the installation process is setting up the auto-start mechanism to automatically open the above files. Kovter uses both a shortcut file and a batch (.bat) file for this:

Using a shortcut file

Kovter drops a shortcut file (.lnk) in the Windows startup folder which points to the garbage files. We have seen it drop the following shortcut file:

  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\28dd1e3d.lnk

The target command of the shortcut file is the following:

C:\Windows\System32\cmd.exe /C start "" "C:\Users\Admin\AppData\Roaming\33e58839\3ad319e6.bbf5590fd"

Once executed at startup, this command will open the file, causing the malicious shell open verb to run the malicious mshta command previously set up in the registry system (see Figure 1).

Using a batch script file

Kovter will drop a batch script file (.bat) and set a registry run key to execute the .bat file. The .bat file will be dropped in a randomly generated folder, such as:

The .bat file has the following content:

Content of the .bat file setup in run key

Figure 2: Content of the .bat file setup in run key

 

Once executed, this bat will also run the dropped file, which then executes the malicious shell open verb.

Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change.

Windows Defender is able to successfully clean up and remove these new versions of this threat.

Kovter malvertising updates

Since our last blog on Kovter spreading through malicious advertisements as a fake Adobe Flash update, we have observed some changes.

On top of the fake Adobe Flash updates, Kovter is now also pretending to be a Firefox update. Kovter has also rotated through a series of new digital certificates, including the following:

Certificate signer hash Valid from Valid until
7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 Apr 21 2016 Apr 21 2017
78d98ccccc41e0dea1791d24595c2e90f796fd48 May 13 2016 May 13 2017
c6305ea8aba8b095d31a7798f957d9c91fc17cf6 Jun 22 2016 Jun 22 2017
b780af39e1bf684b7d2579edfff4ed26519b05f6 May 12 2016 May 12 2017
a286affc5f6e92bdc93374646676ebc49e21bcae May 13 2016 May 13 2017
ac4325c9837cd8fa72d6bcaf4b00186957713414 Nov 18 2015 Nov 17 2016
ce75af3b8be1ecef9d0eb51f2f3281b846add3fc Dec 28 2015 Dec 27 2016

Table 1: List of certificates used by Kovter

 

We've notice that every time Kovter actors release a new wave of samples signed with a new certificate they hit a lot of machines. This can be seen in our telemetry for the past three months, with spikes on May 21, June 14, and the first week of July.

Kovter’s prevalence for the past two months

Figure 3: Kovter’s prevalence for the past two months

 

Besides fake Adobe Flash and Firefox updates, Kovter also pretends to be a Chrome update (chrome-update.exe).

We have seen Kovter downloaded from a large list of URLs, including:

  • hxxps://eepheverseoftheday.org/2811826639187/2811826639187/146819749948281/FlashPlayer.exe
  • hxxps://deequglutenfreeclub.org/8961166952189/8961166952189/146809673281840/FlashPlayer.exe
  • hxxps://zaixovinmonopolet.net/5261173544131/5261173544131/146785099939564/FlashPlayer.exe
  • hxxps://feehacitysocialising.net/7561659755159/1468089713424429/firefox-patch.exe
  • hxxps://eepheverseoftheday.org/1851760268603/1851760268603/1468192094476645/firefox-patch.exe
  • hxxps://uchuhfsbox.net/8031143191240/8031143191240/1467996389305283/firefox-patch.exe
  • hxxps://ierairosihanari.org/1461656983266/1461656983266/1467987174641688/firefox-patch.exe
  • hxxps://anayimovilyeuros.net/7601143032510/7601143032510/1465468888898207/chrome-patch.exe

For reference, here are some SHA1s corresponding to each certificate used by Kovter:

Certificate Signer Hash SHA1
7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2
78d98ccccc41e0dea1791d24595c2e90f796fd48 da3261ceff37a56797b47b998dafe6e0376f8446
c6305ea8aba8b095d31a7798f957d9c91fc17cf6 c3f3ecf24b6d39b0e4ff51af31002f3d37677476
b780af39e1bf684b7d2579edfff4ed26519b05f6 c49febe1e240e47364a649b4cd19e37bb14534d0
a286affc5f6e92bdc93374646676ebc49e21bcae 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39
ac4325c9837cd8fa72d6bcaf4b00186957713414 e428de0899cb13de47ac16618a53c5831337c5e6
ce75af3b8be1ecef9d0eb51f2f3281b846add3fc b8cace9f517bad05d8dc89d7f76f79aae8717a24

Table 2: List of Kovter SHA1 for each certificate

 

To protect yourself from this type of attack, we encourage users to only download and install applications or their updates from their original and trusted websites.

Using an up-to-date version of an antimalware scanner like Windows Defender will also help you to stay protected from Kovter.

Duc Nguyen
MMPC

Comments (4)

  1. bdaly says:

    Is it possible to get the actual CER files for the Kovter certificates so that they can be used in a Software Restriction Policy GPO in Windows?

  2. adwbust says:

    how about pua installcore? it poses as fake flash, java, mediaplayer updates! just detect by certificate - it uses safe installer company by godaddy (?). virit explorer detects it that way.

  3. Ronal says:

    I have windows defender , it is completely up to date , and yet I have this virus which Windows Defender seems to notice , but not be able to erase for me . What do I do next ?

    1. Ciudadano99 says:

      Hi
      I am in the same situation, Windows Defender detects it, it is supposed to be in cuarentain but I cannot remove it.
      Do I have to format the Hard disk?

Skip to main content