Stephen Coty

Stephen Coty
on July 19, 2018

Kovter Research and Analysis

Kovter Research and Analysis

Through recent alert analysis, Perch Labs has identified Kovter as malicious code on the rise since January. To truly understand the code, we need to understand its history:

  • Kovter, in 2013, was known as a piece of silent ransomware code that transferred files to an infected host without detection. Throughout 2013 and 2014, it was an effective ransomware that would wait on a system until a certain function would be performed. One of those functions was a popup screen notifying the user of illegal activity, with an interface provided to pay a fine, now known as a ransom.
  • Kovter then evolved into many click fraud campaigns. It would infect hosts and steal data to well architected Command and Control (C2) server architecture.
  • In 2015, Kovter evolved into one of the first file-less piece of malicious code that utilized autorun registry edits. It would embed a JavaScript function into the registry that executes a PowerShell script which then installs multiple binaries.
  • As Kovter continued to evolve, it added to its file-less capabilities by including file-like components and spawning local shells to spread laterally throughout your network.

The Kovter family of malicious code has a tradition of being effective and difficult to detect. The most common attack vector for Kovter has been through spam and targeting phishing email campaigns. Spam and phishing emails using false delivery notifications for UPS, FedEx or invoices are nothing new but are still incredibly effective especially when well researched and targeted. The main variants of Kovter are aimed at performing ad fraud and are difficult to detect and remove, as they implement these file-less infection methods. They can steal personal or corporate information, download additional malware or have complete access to the infected host.

Kovter Methodologies

1. Attack the Human Kovter arrives within mail attachments as a macro in an office file. When activated, the macro downloads additional files that triggers a powershell command stored in the registry to gain full control of the host. Then the randomly named file deletes itself. One of the most recent campaigns used an effective technique to trick users by using fake delivery notifications from UPS, USPS, and FedEx. The Emails have historically targeted Finance and HR departments through related internet services documents such as resumes and invoices. The email attachment is either a ZIP file that archives a double extension file (*.doc.html) or a standalone double extension HTML file.

2. Extract, Decode and Run Phishing, if targeted, is successful because of the research done on the company or individuals. Malicious actors will troll LinkedIn to identify key employees or easy targets. They then troll social media to evaluate likes and dislikes to help craft an email based on the data found. The HTML document will convince the user to click and download an “Office plugin,” but in the background, the HTML actually contains an embedded base64-encoded ZIP file.

3. Install Malicious javascript When executed, the HTML extracts a JS file (WebView-Plugin-Update-0.exe.js) which is a partially obfuscated JScript/JavaScript file hiding inside a 7-zip. Once connected, the fake WebView Plugin will download a JS file and immediately executes it after a de-obfuscation process.

4. Connect to C2 for additional payloads The file, once properly decoded, will again try to build different URLs using different domain names. There will be two possible URLs from each domain. The first URL will download something from the ransomware or spyware family and the second URL will download KOVTER. Both URLs will download a file with a *.PNG extension that will be renamed to *.EXE and executed later. There are layers of obfuscated files and multiple command and control sites.

5. Connect to new C2 to test file storage The malicious code will now attempt to communicate with the C2 servers that have been architected to store stolen assets from the infected hosts. Once communication is established there is a process that schedules regular connections to upload any data that the infected host has collected.



Strategy for Detection and Prevention

Due to its arrival via spam mail, your organization should consider setting up anti-spam filters that can block malicious emails before they can even reach the endpoint user. Also, implement web filtration that may detect communication with a C2 website.

1. Log Management Log messages are a very useful tool for a variety security tasks, but simply collecting logs locally in text files is often not enough. With tools like syslog-ng, security experts can centralize all of the log messages coming from servers, network devices, applications and lots of other sources (even printers and peripherals). With central log collection, one can easily check log messages even if the source machine suffered a hardware failure or logs were removed during a security incident. And once all of the logs are centralized, you can do interesting things like filter the messages, getting rid of the ones you don’t want, or classify messages so that you can group similar messages together. There are a few steps to follow to maintain an efficient and effective logging process:

  • Set a strategy – don’t log blindly
  • Structure your log data, and consider the format of your logs
  • Separate and centralize your log data
  • Practice end-to-end logging
  • Correlate data sources
  • Use unique identifiers
  • Add context
  • Perform real-time monitoring

2. File Integrity Management Organizations can also list methods for detection, which can be based on commands known to be used by malicious PowerShell scripts looking for patterns used to obfuscate their command-prompt. Files from any of the below malware will, once loaded, be detected through their file loads. This is another observable that can be detected through an FIM solution.

3. Intrusion Detection and Netflow An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. While anomaly detection and reporting is the primary function, some intrusion detection systems are capable of taking actions when malicious activity or anomalous traffic is detected, including blocking traffic sent from suspicious IP addresses.

4. Solid Threat Intelligence

5. 24/7 Monitoring of indicators like the IP address below In cyber threat intelligence, analysis often hinges on the triad of actors, intent, and capability; with consideration given to their tactics, techniques, and procedures (TTPs), motivations, and access to the intended targets. Studying this triad enables us to make informed, strategic, operational, and tactical assessments.

References:

Recorded Future – Kovter ID Card


We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: How to boost your FFIEC CAT score, Part 1: What the CAT dragged in

Share this on:

Stephen Coty

Stephen Coty
on July 19, 2018


Perchy Subscribe to our blog