Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter’s persistence method and some updates on their latest malvertising campaigns.
New persistence method
Since June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software.
Upon installation, Kovter will generate and register a new random file extension (for example, .bbf5590fd) and define a new shell open verb to handle this specific extension by setting the following registry keys:
Figure 1: Registry setup for Kovter
With this setup, every time a file with the custom file extension (.bbf5590fb) is opened, the malicious Kovter command contained in the registry key is executed via the shell extension open verb.
Therefore, all Kovter needs to do to run on infected machines is open a file with their custom file extension .bbf5590fb – causing the malicious shell open command to run. This in turn runs a command using mshta.
The contents of these files are not important, since the malicious code is contained within the shell open verb registry key. The last step in the installation process is setting up the auto-start mechanism to automatically open the above files. Kovter uses both a shortcut file and a batch (.bat) file for this:
Using a shortcut file
Kovter drops a shortcut file (.lnk) in the Windows startup folder which points to the garbage files. We have seen it drop the following shortcut file:
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\28dd1e3d.lnk
The target command of the shortcut file is the following:
C:\Windows\System32\cmd.exe /C start "" "C:\Users\Admin\AppData\Roaming\33e58839\3ad319e6.bbf5590fd"
Once executed at startup, this command will open the file, causing the malicious shell open verb to run the malicious mshta command previously set up in the registry system (see Figure 1).
Using a batch script file
Kovter will drop a batch script file (.bat) and set a registry run key to execute the .bat file. The .bat file will be dropped in a randomly generated folder, such as:
The .bat file has the following content:
Figure 2: Content of the .bat file setup in run key
Once executed, this bat will also run the dropped file, which then executes the malicious shell open verb.
Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change.
Windows Defender is able to successfully clean up and remove these new versions of this threat.
Kovter malvertising updates
Since our last blog on Kovter spreading through malicious advertisements as a fake Adobe Flash update, we have observed some changes.
On top of the fake Adobe Flash updates, Kovter is now also pretending to be a Firefox update. Kovter has also rotated through a series of new digital certificates, including the following:
|Certificate signer hash||Valid from||Valid until|
|7e93cc85ed87ddfb31ac84154f28ae9d6bee0116||Apr 21 2016||Apr 21 2017|
|78d98ccccc41e0dea1791d24595c2e90f796fd48||May 13 2016||May 13 2017|
|c6305ea8aba8b095d31a7798f957d9c91fc17cf6||Jun 22 2016||Jun 22 2017|
|b780af39e1bf684b7d2579edfff4ed26519b05f6||May 12 2016||May 12 2017|
|a286affc5f6e92bdc93374646676ebc49e21bcae||May 13 2016||May 13 2017|
|ac4325c9837cd8fa72d6bcaf4b00186957713414||Nov 18 2015||Nov 17 2016|
|ce75af3b8be1ecef9d0eb51f2f3281b846add3fc||Dec 28 2015||Dec 27 2016|
Table 1: List of certificates used by Kovter
We've notice that every time Kovter actors release a new wave of samples signed with a new certificate they hit a lot of machines. This can be seen in our telemetry for the past three months, with spikes on May 21, June 14, and the first week of July.
Figure 3: Kovter’s prevalence for the past two months
Besides fake Adobe Flash and Firefox updates, Kovter also pretends to be a Chrome update (chrome-update.exe).
We have seen Kovter downloaded from a large list of URLs, including:
For reference, here are some SHA1s corresponding to each certificate used by Kovter:
|Certificate Signer Hash||SHA1|
Table 2: List of Kovter SHA1 for each certificate
To protect yourself from this type of attack, we encourage users to only download and install applications or their updates from their original and trusted websites.
Using an up-to-date version of an antimalware scanner like Windows Defender will also help you to stay protected from Kovter.